How I Get ZeroDay Attack Unrestricted File Upload leads to RCE on one of the Vendors.

ZeroDay Attack

Hello, In this article I want to tell you a little about how I accidentally discovered the Unrestricted File Upload attack leads to Remote Code Execution on one of the vendors affected by this attack…

Little Story

Previously, I really didn’t know that those affected by the vulnerability that I found were directed to the main vendor, and because the bug that I found was considered critical, the vendor has updated to protect their clients from the same attack.

Andddd Still. I will do censorship regarding Vendors and other sensitive matters.

Steps to Reproduce

1. Here I get a file upload form to fill in our account profile picture

aaaahhhh cute

2. And after I filled everything in, I activated Intercept on BurpSuite to take requests from Upload Files earlier

Umbraco is the CMS they use and after this Umbraco path is the path of the Vendor name, so I censored it.

3. And here are the Requests and Responses I got

Requests

Responses

At this stage I also find it very strange, because we can direct where the files we will upload are just by changing the contents of the “target” parameter, and not only that, in fact I can also directly add folders in this case.

And for the results of the response, we can see that here I get information regarding the Full Path from this website

4. First I tried to change the extension to .html

And after I checked it it worked.

Good start~

5. Then I tried extensions that are commonly used to bring up Code Execution such as “.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml” on Windows Servers

Because the server used is “Microsoft-IIS” so I just tried the extension from ASP

And this failed

6. And I think that there is already a filter extension on this file upload.

Hmmmmm

Because previously I could change the path related to the files that I would send, so I tried changing the extension and also changing the address of the files that I would send to the main Directory on the website.

And don’t forget to also change the contents of your image into a shell script

Aaaannnnnddd, I managed to get the RCE of this File upload

Remote Code Execution | I love it!!!!!❤❤

Timeline

1. I report this bug to the owner of the affected website
2. I don’t know why I suddenly received an email from one of the developers from the software owner (Vendor) affected by this attack, And they want to send gifts to me.

3. Then I make sure whether this RCE really impacts the Vendor, and Is it true that I have found Zeroday attack RCE on this application.
And below is the answer from the Developer

Yeayyyyyyy!!!

Reference

File Upload

webshell/webshell.asp at master · tennc/webshell

I Hope you enjoyed this writeup!!!

Follow Me

Caesar Evan Santoso - Jakarta Metropolitan Area | Professional Profile | LinkedIn