-
-
Save FlatL1neAPT/c2a339ca76d0db05a281f2e6e77ad56c to your computer and use it in GitHub Desktop.
Rconfig 3.9.4 File Upload RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Remote Code Execution via File Upload (CVE-2020-12255) | |
| The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality. | |
| The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header. | |
| Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. | |
| since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked. | |
| Steps To Reproduce-: | |
| 1. Login to the application. | |
| 2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’. | |
| 3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite. | |
| 4. Now Change the `Content-Type` to `image/gif`. | |
| 5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami | |
| Note:- shell.php is a uploaded file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment