Description: This is a manual way (without using metasploit) of exploiting the CVE 2019-9581 or EDB-ID:46486 vulnerablity.
Please note the original credit of finding this vulnerability goes to AKKUS ---> https://www.exploit-db.com/?author=9483.
The vulnerability requires authenticated user (admin login) as a pre-req. After logging as ADMIN, the user can upload a malicious php script by exploiting arbitrary file upload vulnerability in ico file upload section.
-
Login to the Booked Scheduler 2.7.5 web portal.
-
Navigate to manage_theme.php page.
-
Under Favicon section, upload your malicious php script e.g. I am uploading a file rce.php Also, I am using Burp to intercept my request, although Burp part is not necessary.
-
The file is ready to be uploaded. The highlighted section shows the contents of codeexec.php. You can grab this codeexec.php from here -> https://raw.githubusercontent.com/F-Masood/php-backdoors/main/rce.php
-
Navigate to custom-favicon.php file, give some command as input and you have achieved RCE. Wohoooo!!!
