b2evolution 6.8.8 Shell Upload

Published
Credit
Risk
2017.03.15
@rungga_reksya, @dvnrcy, @yokoacc
High
CWE
CVE
Local
Remote
CWE-264
N/A
No
Yes

# Exploit Title: Remote File Upload Vulnerability in b2evolution 6.8.8
# Google Dork: no
# Date: 14-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy, @yokoacc
# Vendor Homepage: http://b2evolution.net
# Software Link: http://b2evolution.net/downloads/6-8-8?download=6883
# Version: 6.8.8 Stable
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : no

I. Background:
b2evolution is a tool that allows you to build your own website. This ranges from just a home page to a full featured site with multiple blogs, forums for your user community and structured content such as manuals or knowledge bases. Additionally, b2evolution allows you to send newsletters to your user community and members can send private messages to each other.

II. Description:
Unrestricted file upload vulnerability in afile uploada modules in B2evolution CMS 6.8.8 allows authenticated user to upload malicious code (shell), even though in the system has restricted extension (php).

III. Exploit:
In this case, we have privilege as administrators and then access to afiles menua (http://HOST/b2evolution/admin.php?ctrl=files). Choose your directory and upload your shell with php extension.

e.g you choose aadmina folder, so access your shell such as:
http://HOST/b2evolution/media/users/admin/[YOUR_SHELL]

IV. Thanks to:
- Alloh SWT
- MyBoboboy
- @yokoacc, @dvnrcy
- Komunitas IT Auditor & IT Security Kaskus
Refer to:Remote File Upload Vulnerability in b2evolution 6.8.8


Remote File Upload Vulnerability in b2evolution 6.8.8
# Exploit Title: Remote File Upload Vulnerability in b2evolution 6.8.8 # Google Dork: no # Date: 14-03-2017 # Ex... | |


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com