Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rconfig 3.9.4 File Upload RCE
Remote Code Execution via File Upload (CVE-2020-12255)
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
Steps To Reproduce-:
1. Login to the application.
2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’.
3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite.
4. Now Change the `Content-Type` to `image/gif`.
5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami
Note:- shell.php is a uploaded file
@F-Masood

This comment has been minimized.

Copy link

@F-Masood F-Masood commented Jan 22, 2021

  1. If you don't have admin panel credentials.
  2. You can try using this exploit-> https://www.exploit-db.com/exploits/48878
  3. Select option 2 after running the above exploit script and this should update the password of admin user to Testing1@
  4. And if successful, you can do the above mentioned Arbitrary File Upload vulnerability thing .
@farid007

This comment has been minimized.

Copy link
Owner Author

@farid007 farid007 commented Mar 19, 2021

Thank you F-Masood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment