Ctrlk
Edit

Codoforum

Codoforum / CODOLOGIC exposes a PHP forum on HTTP. If the admin account is still using default credentials, the admin panel can be used to permit PHP uploads and upload a webshell as the forum logo.

Discovery

nmap -sC -sV TARGET
# 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
# 80/tcp open  http    Apache httpd 2.4.41
# http-title: All topics | CODOLOGIC

Useful pages:

http://TARGET/
http://TARGET/admin/index.php

The front page may identify the software:

Welcome to Codoforum
The only user available to login in the front-end is admin with the password that you set during the installation.

Admin Login

Try the admin panel with default credentials:

URL: http://TARGET/admin/index.php
Username: admin
Password: admin

Admin Upload RCE

Open the global settings page:

Allow PHP file uploads:

Upload a PHP reverse shell as the forum logo:

Trigger the uploaded shell:

Successful shell:

Configuration and Database

Codoforum stores database credentials in:

Useful values:

Connect to MySQL locally:

Enumerate forum users:

Useful rows:

Root Credential Reuse

In this path, the Codoforum database password was reused by root:

References

  • https://www.exploit-db.com/raw/50978

PreviousGrav CMSNextCS-Cart

Last updated