Last time I found RCE bug in an old Artica Proxy. This time I decided to check the latest one. Below you will find few results. Here we go...
Today we will start here:
Yep, this is postauth RCE so to continue you'll need password of the admin user (in this case - "Manager").
As you will see below to achieve RCE in latest version we need to go to the Dashboard (as logged-in admin user) and click 'Change' to change the hostname, like this:
(Just like before I opened log files to see if there will be a hint for me ;)
To get things done, now you need to go to the DNS -> Hosts file and Build the file. Remember that you'll need to wait a little bit for the application to refresh (after each of those requests). Approximate time to get a shell when you have a valid credentials is 60 seconds.
Next I decided to use some oneliner. The case was I couldn't use a quick (and valid one) so I prepared a bash-oneliner as a shell-script (in my Kali/Apache server). Next thing was to wget it and run with bash -interactive ;]
Hostname is edited so now it's time to "Build the file" ;) Let's do it (with netcat listening on port 443):
I think that's all for now. ;)
See you next time!
** working poc will be disclosed only to patronite/donate users ;)
...but I believe it's pretty simple to write it if you want it... ;>