webPromedium

KnowledgeForge — File Upload RCE via MIME Type Confusion

hackadvisor

Task: PHP knowledge base platform (KnowledgeForge v2.4.1, based on phpMyFAQ) behind nginx reverse proxy with restrictive location matching that blocks direct access to all routes. Solution: Bypassed nginx routing via double-slash prefix (//index.php/), then exploited CVE-2024-28105 by injecting .php into the lang parameter of category image upload with a GIF polyglot webshell, achieving RCE as root.

$ ls tags/ techniques/

rce php file_upload webshell apache nginx gif_polyglot decoy_flag reverse_proxy mime_type path_normalization phpmyfaq cve_2024_28105 lang_parameter_injection nginx_location_bypass double_slash category_image

decoy_flag_identificationproxy_backend_routing_desyncnginx_double_slash_location_bypassgif_polyglot_php_webshellmime_type_confusion_extension_bypasslang_parameter_filename_injectioncve_2024_28105_phpmyfaq_rce

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 254 — PageForge — ZIP Upload File Type Bypass to RCE— hackadvisor
[web][Pro]PageForge— hackadvisor
[web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor
[web][Pro]BillForge — LFI to RCE via Nginx Log Poisoning— hackadvisor
[web][Pro]Lab 25 — DocuForge — RCE via Dompdf Font Cache Exploitation— hackadvisor