Found 16.08.2017 during some research. Maybe you will find it useful.
And, yeah... It's for auth-users only. Anyway... ;) Have fun.
Version we are talking about you will find described here.
According to some Google-results I was wondering if I will find something similar.
Let's skip the part related to few XSS bugs...
...results with HTML injected inside the table:
... "h4x0r magic" with Burp Free:
...and... we are here:
...and to not to talk about XSS anymore here, one more picture as a hint:
So. Let's back to that "RCE".
Admin's panel is vulnerable (I asummed 'for a DoS') to injection. Period.
Check this out:
During testing the webapp available on port 8445/tcp I was wondering why my session (for logged-in user) is dropped (during one payload or another). I logged in to VM to check HTTP logs. This is what I found:
So. I was wondering if we can achieve similar results to bugs described:
- here - as CVE-2017-11392
- here - as CVE-2017-11391
- or here - as CVE-2017-6340
As we already saw some XSS(s), let's see what we have here:
After sending some requests I saw this message (and "logged-in" session was destroyed):
Next thing I decide to do was to try to escape from the command started by webapp during request. One of example requests below:
Simple enough to find that:
So now we are here:
As you can see sys_desname parameter is vulnerable to injection.
(P.S. Reason for 'destroying session' in the last line on the picture above ;))