0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CF Image Host 1.6.6 Command Injection Vulnerability
CF Image Host 1.6.6 Command Injection Vulnerability Vendor: ==================================== codefuture.co.uk/projects/imagehost Product: =================================== CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: ===================== PHP Command Injection Vulnerability Details: ===================== CF Imagehost allows users who have access to the management area the ability to write directly to the 'set.php' page under the /inc directory that stores setting values for the 'Site Title', 'Site Slogan' etc, this allows a local attacker ability to inject specially crafted PHP command payloads to execute arbitrary operating system commands on the victim host. Possibly leading to privilege escalation, RFI, backdoors etc.. and most likely full compromise of the affected system or shared environment if applicable. PHP Command Injection Exploit code(s): ===================================== Under the setting tab we can inject following below PHP code and it will remain persistent as it is written disk in 'set.php', afterwards when the victim visits the application and click a tab the persistent OS command will be executed. 1) navigate to CF image host settings tab http://localhost/imagehost1.6.6/admin.php?act=set 2) click on admin menu on left and enter your passwords DO NOT click 'Save changes' yet! or you get error message to enter creds 3) now go back to settings tab and click 'General' then inject below PHP code into the 'Site Title' input field 4) now click 'Save Changes', this code will get stored under /inc directory within the 'set.php' PHP file. our PHP injection payload needs the single quotes, double back slashes, semicolons as described below to correctly escape the syntax so we do not break the PHP page and cause errors, our extra \\ quoutes and ; gets removed after injection takes place. some examples... ';echo exec("c:\\Windows\\system32\\calc.exe");'';'; 'set.php' on line 11 then becomes: $settings['SET_TITLE'] = '';echo exec("c:\Windows\system32\calc.exe");'';';'; OR inject CMD to launch chrome.exe etc... ';echo exec("c:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe");'';'; After, click on some tabs above like 'Database' or 'Ban User' and Tada! this will execute our stored PHP command... either running calc.exe or launching Google Chrome. Description: ================================================================ Request Method(s): [+] POST Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc.. Affected Area(s): [+] OS # 0day.today [2024-12-25] #