CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/http/flexdotnetcms_upload_exec.md
Views: 1904
Vulnerable Application
This module exploits an arbitrary file upload vulnerability (CVE-2020-27386) in FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary commands with elevated privileges.
The module first tries to obtain various tokens required for authentication from /login
. Next, the module tries to authenticate via an HTTP POST request to the same destination followed by an HTTP GET request to /Admin
. If authentication is successful, the module uploads a TXT file containing a random string via an HTTP POST request to /Scripts/tinyfilemanager.net/dialog.aspx
. The module then loads the uploaded TXT file in the file editor in order to obtain tokens necessary for renaming the TXT file. It then tries to rename the TXT file to an ASP file via an HTTP POST request to /Admin/Views/PageHandlers/FileEditor/Default.aspx
. If this succeeds, the target is vulnerable and the ASP file is generated as a copy of the TXT file, which remains on the server. Next, the module sends another request to the file editor to rename the TXT file to an ASP file, this time adding the payload. The module will execute the payload via a simple HTTP GET request to /media/uploads/asp_payload
. Finally, the module will try to delete both the uploaded TXT file and the ASP copy from the target.
Valid credentials for a FlexDotnetCMS user with permissions to use the FileManager are required. This attack will normally result in remote code execution with administrator privileges, because the attacker will inherit the privileges of the IIS/IIS Express process, which must run with elevated privileges if configured to allow remote connections. This module has been successfully tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.
Vulnerable software for testing is available on GitHub here. Detailed installation instructions are available here. As the instructions mention, FlexDotnetCMS requires the following dependencies:
.NET Framework 4.5.2
Visual Studio 2015 (Free Community Edition works)
MS SQL Server (Express) 2012 +
IIS (Express) 8 +
Verification Steps
Install the module as usual
Start msfconsole
Do:
use exploit/multi/http/FlexDotnetCMS_upload_exec
Do:
set RHOSTS [IP]
Do:
set USERNAME [username for the FlexDotnetCMS account]
Do:
set PASSWORD [password for the FlexDotnetCMS account]
Do:
set target [target]
Do:
set payload [payload]
Do:
set LHOST [IP]
Do:
exploit
Options
PASSWORD
The password for the FlexDotnetCMS account to authenticate with.
TARGETURI
The base path to FlexDotnetCMS. The default value is /
.
USERNAME
The username for the FlexDotnetCMS account to authenticate with. The default value is admin
.