Skip to content

Instantly share code, notes, and snippets.

@FlatL1neAPT

FlatL1neAPT/Rconfig File Upload RCE Exploit

Forked from farid007/Rconfig File Upload RCE Exploit
Created May 23, 2020 09:00
Show Gist options
  • Save FlatL1neAPT/c2a339ca76d0db05a281f2e6e77ad56c to your computer and use it in GitHub Desktop.
Save FlatL1neAPT/c2a339ca76d0db05a281f2e6e77ad56c to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @farid007 farid007 revised this gist May 18, 2020. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions Rconfig File Upload RCE Exploit
    View file
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,6 @@
    Remote Code Execution via File Upload (CVE-2020-12255)


    The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
    The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
    Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
  2. @farid007 farid007 revised this gist May 18, 2020. 1 changed file with 8 additions and 3 deletions.
    11 changes: 8 additions & 3 deletions Rconfig File Upload RCE Exploit
    View file
    Original file line number Diff line number Diff line change
    @@ -1,14 +1,19 @@
    The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
    The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
    Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. since the validation checks are
    happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
    Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
    since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.


    Steps To Reproduce-:

    1. Login with the credential.
    1. Login to the application.

    2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’.

    3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite.

    4. Now Change the `Content-Type` to `image/gif`.

    5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami

    Note:- shell.php is a uploaded file
  3. @farid007 farid007 revised this gist May 18, 2020. 1 changed file with 4 additions and 7 deletions.
    11 changes: 4 additions & 7 deletions Rconfig File Upload RCE Exploit
    View file
    Original file line number Diff line number Diff line change
    @@ -1,10 +1,7 @@
    The rConfig 3.9.4 is vulnerable to remote code execution due to improper
    checks/validation via the file upload functionality. The vendor.crud.php
    accepts the file upload by checking through content-type and it is not
    restricting upload by checking the file extension and header. Due to
    this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. since the validation checks are
    happening through content-type the server would accept the PHP file
    uploaded ultimately resulting code execution upon the response when invoked.
    The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
    The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
    Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. since the validation checks are
    happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.


    Steps To Reproduce-:
  4. @farid007 farid007 created this gist May 18, 2020.
    17 changes: 17 additions & 0 deletions Rconfig File Upload RCE Exploit
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,17 @@
    The rConfig 3.9.4 is vulnerable to remote code execution due to improper
    checks/validation via the file upload functionality. The vendor.crud.php
    accepts the file upload by checking through content-type and it is not
    restricting upload by checking the file extension and header. Due to
    this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. since the validation checks are
    happening through content-type the server would accept the PHP file
    uploaded ultimately resulting code execution upon the response when invoked.


    Steps To Reproduce-:

    1. Login with the credential.
    2. Go to https://ip-rconfig/vendors.php and click on ‘Add Vendor’.
    3. Click on the browse, upload PHP file that contains backdoor or shell and Intercept the request using burp suite.
    4. Now Change the `Content-Type` to `image/gif`.
    5. Go to https://ip-rconfig/images/vendor/shell.php?cmd=whoami
    Note:- shell.php is a uploaded file