Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rconfig 3.9.4 File Upload RCE
Remote Code Execution via File Upload (CVE-2020-12255)
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
Steps To Reproduce-:
1. Login to the application.
2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’.
3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite.
4. Now Change the `Content-Type` to `image/gif`.
5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami
Note:- shell.php is a uploaded file
@F-Masood
Copy link

F-Masood commented Jan 22, 2021

  1. If you don't have admin panel credentials.
  2. You can try using this exploit-> https://www.exploit-db.com/exploits/48878
  3. Select option 2 after running the above exploit script and this should update the password of admin user to Testing1@
  4. And if successful, you can do the above mentioned Arbitrary File Upload vulnerability thing .

@farid007
Copy link
Author

farid007 commented Mar 19, 2021

Thank you F-Masood.

@EricoCartmanez
Copy link

EricoCartmanez commented May 7, 2021

@F-Masod thanx

@F-Masood
Copy link

F-Masood commented May 8, 2021

@zztczcx
Copy link

zztczcx commented May 9, 2021

Good, it works

@F-Masood
Copy link

F-Masood commented May 12, 2021

̿̿ ̿̿ ̿̿ ̿'̿'\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment