Jedox 2022.4.2 – Remote Code Execution via Directory Traversal

• Exploit Database
• 41 阅读

• 作者： Team Syslifters
  日期： 2023-05-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51424/

• # Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal
  # Date: 28/04/2023
  # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
  # Vendor Homepage: https://jedox.com
  # Version: Jedox 2022.4 (22.4.2) and older
  # CVE : CVE-2022-47875
  
  
  Introduction
  =================
  A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files.
  
  
  Write-Up
  =================
  See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
  
  
  Proof of Concept
  =================
  1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`).
  
  2) Upload a PHP file and note the file system path (`fspath`)
  
  3) Get RCE via Directory Traversal
  
  	PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php
  	METHOD: POST