Selasa, 14 Maret 2017

Remote File Upload Vulnerability in b2evolution 6.8.8

# Exploit Title: Remote File Upload Vulnerability in b2evolution 6.8.8
# Google Dork: no
# Date: 14-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy, @yokoacc
# Vendor Homepage: http://b2evolution.net
# Software Link: http://b2evolution.net/downloads/6-8-8?download=6883
# Version: 6.8.8 Stable
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : no

I. Background:
b2evolution is a tool that allows you to build your own website. This ranges from just a home page to a full featured site with multiple blogs, forums for your user community and structured content such as manuals or knowledge bases. Additionally, b2evolution allows you to send newsletters to your user community and members can send private messages to each other.

II. Description:
Unrestricted file upload vulnerability in “file upload” modules in B2evolution CMS 6.8.8 allows authenticated user to upload malicious code (shell), even though in the system has restricted extension (php).

III. Exploit:
In this case, we have privilege as administrators and then access to “files menu” (http://HOST/b2evolution/admin.php?ctrl=files). Choose your directory and upload your shell with php extension.

e.g you choose “admin” folder, so access your shell such as:
http://HOST/b2evolution/media/users/admin/[YOUR_SHELL]

IV. Thanks to:
- Alloh SWT
- MyBoboboy
- @yokoacc, @dvnrcy
- Komunitas IT Auditor & IT Security Kaskus





V. Screenshot/POC:


php extension was blocked

determine your directory

succeed to upload shell

take over operating system server
 

2 komentar:

jibrilhp mengatakan...

Mantaplah pak Rungga :)

Unknown mengatakan...

Pliss contoh dorknya gan thx :)