Hi. This time we'll talk about one RCE bug I found during a reasearch for a pentest done 3 weeks ago. Webapp we'll try this time is called Ilias (tested: v5.0.3). Here we go..
Today we'll start here:
To prepare my environment this time I used a docker file so if you have already docker installed - we can continue somewhere here:
Get Ilias on our localhost's docker:
When all is prepared we should be ready to log in using default credentials (for this case this is 'root:homer'). Here we go:
Of course - to not make IT ;) too simple - let's create a 'normal user' called "tester". Like this:
So far so good. So where is the bug?
After a while of using "tester's" account I identified an interesting behaviour of Ilias. Check it out:
When (normal/registered) user (is able to) add a 'new content' (for our case it is a 'new blog') - then it'll be possible to exploit it and gain a shell on remote Ilias installation.
Let's verity that - step 1 for our scenario: "we have a working account in webapp". ;)
Starting from this point - let's continue with adding new content (mentioned 'Blog'):
Simple. Next step: add a Topic. Let's do it too:
So far so good. What's next? Well. Maybe let's try to add some more content... Images? Let's try here:
Results?
More:
What I observed here is:
when we'll try to upload 'revshell();blabla' in PHP file - it will be "filtered" (and/or renamed to .sec file). But if we'll put something 'valid' (or 'safe' ;)) before - like: phpinfo() - we'll get our revshell-payload.php file uploaded. Check it out:
Uploading:
Looking for results in the source:
Let's verify that:
Version I tried was v5.0.3 but feel free to test it in your installation. :)
Below you'll find it on the video:
Let me know in the comments if it works for (any) other version. Thanks! ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz