|===========================================================================
| # Exploit Title : Composr 10.0.36 | Remote Code Execution (RCE)
|
| # Author : Ali Seddigh
|
| # Vendor Homepage: https://compo.sr/
|
| # Software Link: https://compo.sr/download.htm
|
| # Version: 10.0.36
|
| # Tested on : [ Windows ~> 10 , Kali Linux ]
|
| # Date : 2021-04-10
|===========================================================================
| << introduction >>
|
| A RCE on Composr CMS has been discovered by BugsBD Private LTD.
| We have a galleries security issue which allows us to upload a PHP file.
| Whenever we upload an image from galleries, Composr allows us to upload only images.
| If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities.
| But we have a security issue on the Upload In Bulk section.
| Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited.
| But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification.
| This allows a user to upload malicious file even when they restricted it.
|
|===========================================================================
| # Steps To Reproduce:
|
| 1. Go to upload galleries.
| 2. Upload a image and tamper the request and change the extension from .jpg to .php
| 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension.
| 4. Now go to upload in bulk option.
| 5. Upload a image with PHP codes and tamper the request.
| 6. Change extension from .jpg to .php
| 7. It will get uploaded with the blocked PHP extension.
|===========================================================================
| # Discovered By : Ali Triplex
|===========================================================================