Jan 18, 2022
How I Get ZeroDay Attack Unrestricted File Upload leads to RCE on one of the Vendors.
Hello, In this article I want to tell you a little about how I accidentally discovered the Unrestricted File Upload attack leads to Remote Code Execution on one of the vendors affected by this attack…
Little Story
Previously, I really didn’t know that those affected by the vulnerability that I found were directed to the main vendor, and because the bug that I found was considered critical, the vendor has updated to protect their clients from the same attack.
Andddd Still. I will do censorship regarding Vendors and other sensitive matters.
Steps to Reproduce
- Here I get a file upload form to fill in our account profile picture
2. And after I filled everything in, I activated Intercept on BurpSuite to take requests from Upload Files earlier
Umbraco is the CMS they use and after this Umbraco path is the path of the Vendor name, so I censored it.
3. And here are the Requests and Responses I got
At this stage I also find it very strange, because we can direct where the files we will upload are just by changing the contents of the “target” parameter, and not only that, in fact I can also directly add folders in this case.
And for the results of the response, we can see that here I get information regarding the Full Path from this website
4. First I tried to change the extension to .html
And after I checked it it worked.
5. Then I tried extensions that are commonly used to bring up Code Execution such as “.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml” on Windows Servers
And this failed
6. And I think that there is already a filter extension on this file upload.
Because previously I could change the path related to the files that I would send, so I tried changing the extension and also changing the address of the files that I would send to the main Directory on the website.
And don’t forget to also change the contents of your image into a shell script
Aaaannnnnddd, I managed to get the RCE of this File upload
Timeline
- I report this bug to the owner of the affected website
- I don’t know why I suddenly received an email from one of the developers from the software owner (Vendor) affected by this attack, And they want to send gifts to me.
3. Then I make sure whether this RCE really impacts the Vendor, and Is it true that I have found Zeroday attack RCE on this application.
And below is the answer from the Developer
Reference
I Hope you enjoyed this writeup!!!
