[CVE-2022–34965] Open Source Social Network 6.3 LTS— Authenticated Unrestricted File Upload (Components)
Description
#OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/com_installer. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
Steps to attack:
First, we log in to the OSSN 6.3 as the admin privileges on the administrator page.
And then we proceed towards to menu Components > installer
After that we download the component to our local machine. In this case, I’m using the Languages List component.
When unzipping the theme that we download, we will find the ossn_com.php file in the directory of the theme.
It looks like we can change the content of the ossn_com.php file to PHP reverse shell.
Next, we generate the PHP reverse shell in type PHP PentestMonkey from www.revshells.com.
Edit content of ossn_com.php to PHP reverse shell.
Create an archive in type zip that contains the directory of components.
Proceed towards to menu Components > installer and click on the Browse button.
Choose the archive that we create.
Choose the archive that we create.
Now, our component with the malicious files is all ready to use.
Using netcat to listen for TCP connections on port 443.
Direct access to ossn_com.php file that we edit the content to PHP reverse shell via the link following.
http://<IP>/ossn/components/AvailableLanguages/ossn_com.php
Bravo!, We get the system shell on the web server which uses Open Source Social Network 6.3.
Discoverer:
Grim The Ripper Team by SOSECURE Thailand
