Exploits / Vulnerability Discovered : 2020-04-02 |
Type : webapps |
Platform : php
This exploit / vulnerability Phpfusion 9.03.50 panels.php remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability
# Google Dork: N/A=20
# Date: 2020-04-01
# Exploit Author: Unkn0wn
# Vendor Homepage: https://www.php-fusion.co.uk
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: 9.03.50
# Tested on: Ubuntu
# CVE : N/A
---------------------------------------------------------
Code Execution:
This vulnerabilty in "add_panel_form()" function.
in line 527 we can see "eval" tag:
*
eval("?>".stripslashes($_POST['panel_content'])."<?php ");
*
and to this funcation in line 528 - 530 return us payload:
*
$eval =3D ob_get_contents();
ob_end_clean();
echo $eval;
=09=09=09=09=09
*
Demo:
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
2e900fb§ion=3Dpanelform&action=3Dedit&panel_id=3D4
Cross site-scripting:
In line 532 with POST DATA prin"t panel_content:
"
echo "<p>".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."</=
p>\n";
"