Skip to content

File Upload to RCE in DEXT5Upload 2.7.1402870 by xcuter

kbgsft edited this page Jun 6, 2020 · 6 revisions

1. Summary

  • DEXT5Upload is a web component that can transfer large files.
  • A Remote code execution(RCE) vulnerability exists in DEXT5 Upload 2.7.1402870(last version) and earlier. An attacker can upload a malicious PHP/JSP/ASP/ASPX file via the dext5handler handler. In addition, The recently added SetUploadCheckFileExtension() function can also be bypassed.
  • CVE : CVE-2020-13442

2. Payloads

  • dext5CMD --> uploadPRequest
  • fileToUpload --> filename --> malicious.php
  • fileNameRule --> (null)
  • fileNameRuleEx --> (null)
  • and some...

3. Proof

  • vulnerable version(latest)

  • webshell upload packet (a part of the packet for security)

  • Response packet after upload

  • Launch webshell

4. How to find this vulnerability?

  • The "Web Security Checker" automatically diagnoses vulnerabilities in web services. It can diagnose the following vulnerabilities : SQL Injection, XSS, LFI, RFI, SSRF, File Upload, File Download, XXE, Command Injection, File management, Direcroty Listing, Source Code Disclosure, URL Redirection, Insecure SSL/TLS, Mixed Content, Specific Vulnerabilities(CVE ShellShock, etc.)

  • https://www.ncloud.com/product/security/webSecurityChecker

5. Discoverer