Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-35846 PoC — Agentejo Cockpit SQL注入漏洞

Source
https://github.com/0z09e/CVE-2020-35846
Associated Vulnerability
Title:Agentejo Cockpit SQL注入漏洞 (CVE-2020-35846)
Description:Agentejo Cockpit是德国Agentejo公司的一款用于管理网站结构化内容的管理系统。 Agentejo Cockpit 0.11.2之前版本存在SQL注入漏洞,该漏洞源于允许通过控制器Auth.php检查函数进行NoSQL注入。
Description
Cockpit CMS 0.11.1 NoSQL Injection to Remote Code Execution
Readme
# Cockpit CMS NoSQL Injection to Remote Code Execution : CVE-2020-35846  
***
## Description
Cockpit CMS has some NoSQL Vulnerabilities which can be used to dump users' information, This information disclosures can be chained together to change users' passwords and which leads to `Remote Code Execution` on the Server.  
A brief description of all these vulnerabilities can be found [here](https://swarm.ptsecurity.com/rce-cockpit-cms/).  
## Usage   
```bash
┌─[0z09e]─[~/project/CVE-2020-35846]
└──╼ $ python3 exploit.py --help
usage: exploit.py [-h] [--dump_all] URL

_________                __           .__  __    ___________________ ___________
\_   ___ \  ____   ____ |  | ________ |__|/  |_  \______   \_   ___ \_   _____/
/    \  \/ /  _ \_/ ___\|  |/ /\____ \|  \   __\  |       _/    \  \/ |    __)_ 
\     \___(  <_> )  \___|    < |  |_> >  ||  |    |    |   \     \____|        
 \______  /\____/ \___  >__|_ \|   __/|__||__|    |____|_  /\______  /_______  /
        \/            \/     \/|__|                      \/        \/        \/ 

        Cockpit CMS NoSQL Injection to Remote Code Execution : CVE-2020-35846
        POC written by : 0z09e (https://github.com/0z09e)

positional arguments:
  URL         Target URL. Example : http://10.20.30.40/path/to/cockpit

optional arguments:
  -h, --help  show this help message and exit
  --dump_all  Dump all the informations about each and every user.(No password will be changed and no shell will be deployed)
```
- `URL` - The target URL in which `Cockpit CMS` is running.  
- `--dump_all` - Dump all the informations about each users present on the `CMS`.  

## Example : 
Deploying a `PHP-WebShell` :  

![](./images/image2.png)

Dumping users information :   

![](./images/image1.png)

## Reference
- https://swarm.ptsecurity.com/rce-cockpit-cms
***
File Snapshot

 [4.0K]  /data/pocs/5d8d6c161d4b23ccb87d519db48bc3c0be949e4a
├── [7.1K]  exploit.py
├── [4.0K]  images
│   ├── [139K]  image1.png
│   └── [102K]  image2.png
├── [ 18K]  LICENSE
├── [1.8K]  README.md
└── [   9]  requirements.txt

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.