Skip to content

Filiplain/LFI-to-RCE-SE-Suite-2.0

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
PoC
 
 
 
 

Remote Code Execution in SoftExpert Excellence Suite 2.0 - CVE-2023-30330

Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Excellence Suite EQM.

CVE-2023-30330

  • SE Suite 2.x versions before 2.1.3
  • Tested on versions: 2.0.15.31 and 2.0.15.115

LFI PoC

https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0/tree/main/PoC

1- Local File Inclusion:

The researcher was able to find a PHP function "/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php" that includes a file with extension ".inc" in a base64 encoding format through the “managerPath” parameter in a POST request. By changing the “.inc” file to for example “C:\windows\win.ini” and converting it back to base64, we are going to get that file on the system.

The PHP file "defaultframe_filter.php" is using the function “require_once()” to include the files, this function could allow a hacker to execute Remote Code Execution by including poisoned logs.

2- Remote Code Execution:

  • We can include and read PHP error logs.
  • We can use require_once() to execute PHP code.
  • We need to insert PHP code into the error logs.

By analyzing the “user_action.php” function when uploading a new profile picture, we can notice that when you upload an invalid or malicious image, the page will throw an error 401. After causing the error you can read the logs again and see that some parameters like the “Referer” header will be logged, knowing this we can inject PHP code into the “Referer” header.

After trying to upload the malicious image and injecting PHP code into the Referer, we can confirm the log poisoning by reading the logs.

Now we can execute commands by reading the logs. Command: whoami

About

Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Suite EQM.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages