CVE-2022-3552 RCE with explanation# CVE-2022-3552
In order to exploit the vulnerability in BoxBlilling, the version will have to be: "BoxBilling<=4.22.1.5" and you will have to have *valid admin credentials*.
If you have the situation above, here are the steps you have to take in order to get the juicy RCE:
Create a python virtual environment (Linux)
- python3 -m venv .venv
- source .venv/bin/activate
Now install this pwntools library
- pip3 install pwntools
If it complains about missing dependencies, you might also need to install some system packages:
- sudo apt update
- sudo apt install python3-pwntools
In the code there are a few lines that require tweaking, those are the lines that determine the lhost IP and the port that you are planning to catch the shell with.
<img width="457" alt="image" src="https://github.com/user-attachments/assets/d30ec283-71c7-460c-adc3-a70998250d74" />
If you did all of that correctly, you should now be able to run the exploit and get a shell!
(-d = target, -u = a valid admin email, -p the valid admin's password)
- python3 CVE-2022-3552.py -d http://victimtarget.com -u adminxd123@gmail.com -p enterpassword1HERE
[4.0K] /data/pocs/add9e28a202d6f43632d00c53eb03d149113d69a
├── [6.4K] CVE-2022-3552.py
└── [1.1K] README.md
0 directories, 2 files