[CVE-2022–34965] Open Source Social Network 6.3 LTS— Authenticated Unrestricted File Upload (Components)

Description

Steps to attack:

First, we log in to the OSSN 6.3 as the admin privileges on the administrator page.

http://<IP>/ossn/administrator

And then we proceed towards to menu Components > installer

http://<IP>/ossn/administrator/com_installer

After that we download the component to our local machine. In this case, I’m using the Languages List component.

https://www.opensource-socialnetwork.org/component/view/5909/languages-list

When unzipping the theme that we download, we will find the ossn_com.php file in the directory of the theme.

It looks like we can change the content of the ossn_com.php file to PHP reverse shell.

Next, we generate the PHP reverse shell in type PHP PentestMonkey from www.revshells.com.

Edit content of ossn_com.php to PHP reverse shell.

Create an archive in type zip that contains the directory of components.

Proceed towards to menu Components > installer and click on the Browse button.

http://<IP>/ossn/administrator/com_installer

Choose the archive that we create.

Choose the archive that we create.

Now, our component with the malicious files is all ready to use.

Using netcat to listen for TCP connections on port 443.

Direct access to ossn_com.php file that we edit the content to PHP reverse shell via the link following.

http://<IP>/ossn/components/AvailableLanguages/ossn_com.php

http://<IP>/ossn/components/AvailableLanguages/ossn_com.php

Bravo!, We get the system shell on the web server which uses Open Source Social Network 6.3.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

GrimTheRipper

You get the best out of others when you give the best of yourself