[CVE-2022–34965] Open Source Social Network 6.3 LTS— Authenticated Unrestricted File Upload (Components)


Steps to attack:

First, we log in to the OSSN 6.3 as the admin privileges on the administrator page.


And then we proceed towards to menu Components > installer


After that we download the component to our local machine. In this case, I’m using the Languages List component.


When unzipping the theme that we download, we will find the ossn_com.php file in the directory of the theme.

It looks like we can change the content of the ossn_com.php file to PHP reverse shell.

Next, we generate the PHP reverse shell in type PHP PentestMonkey from www.revshells.com.

Edit content of ossn_com.php to PHP reverse shell.

Create an archive in type zip that contains the directory of components.

Proceed towards to menu Components > installer and click on the Browse button.


Choose the archive that we create.

Choose the archive that we create.

Now, our component with the malicious files is all ready to use.

Using netcat to listen for TCP connections on port 443.

Direct access to ossn_com.php file that we edit the content to PHP reverse shell via the link following.



Bravo!, We get the system shell on the web server which uses Open Source Social Network 6.3.


Grim The Ripper Team by SOSECURE Thailand



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


You get the best out of others when you give the best of yourself