| 제목 | Vvveb 1.0.5 Privilege Escalation to RCE |
|---|
| 설명 | Description
Admins have access to modify the code of plugins and run it without any validation in place to prevent malicious code execution. An authenticated admin can modify plugins through this endpoint: [/vadmin123/index.php?module=editor/code&type=themes].
Through this endpoint, you can modify code of a PHP file (theme.php) to gain shell access on the webserver.
Reproduce
To reproduce RCE, open the following endpoint:
/vadmin123/index.php?module=editor/code&type=themes
Find and edit theme.php, replace its code with the following shell:
https://gist.github.com/0xHamy/f16fb399f8dd3a973acadc18fa07b1cb
Remember to replace the IP and port with the IP and port of your listener, you can use a listener such as netcat.
Save the PHP file and run it by opening the following page:
/vadmin123/index.php?module=editor/editor&url=/&template=index.html
Watch your netcat listener and you will get a reverse shell connection:
$ nc -lnvp 6060
Listening on x.x.x.x 6060
Connection received on 127.0.0.1 33862
Linux hx0 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec 5 13:09:44 UTC 2024 x86_64 Linux
sh: w: not found
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/bin/sh: can't access tty; job control turned off
/ $
|
|---|
| 원천 | ⚠️ https://hkohi.ca/vulnerability/8 |
|---|
| 사용자 | 0xHamy (UID 88518) |
|---|
| 제출 | 2025. 07. 29. PM 08:19 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 04. AM 08:27 (6 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 318644 [givanz Vvveb 1.0.5 Code Editor code.php save 권한 상승] |
|---|
| 포인트들 | 19 |
|---|