The files here contain PoC for CVE-2020-28948 & CVE-2020-28949 to achieve remote exploit
The server folder contains a simple upload server which uses the vulnerable Archive_Tar library, located in server/Archive
. The server accepts a Tar archive from the user, extracts and store it in the server/uploads/
folder.
To start the server with the vulnerable library:
cd server
make build
make start
To start the server with the patched library:
cd server
make build-patched
make start-patched
Access the remote server through http://localhost:8080
- Navigate to corresponding PoC folder.
- Specify target for arbitrary file deletion, by modifiying the
$delete_target
increate_phar.php
- To view confidential
secret.md
file, delete.htaccess
file - To do DoS, delete
index.html
- To view confidential
- Create
exploit.tar
make create_exploit
- Upload
exploit.tar
to remote server - Observe the file deletion on the server.
- Can access http://localhost:8080/uploads/secret.md if
.htaccess
is deleted.
- Can access http://localhost:8080/uploads/secret.md if
- Navigate to corresponding PoC folder.
- Create
exploit.tar
make create_exploit
- Upload
exploit.tar
to remote server - Observe that
shell.php
is uploaded.- Can access http://localhost:8080/shell.php
- Achieve some RCE (eg. execute
whoami
on server)