cinzinga

OSEP, OSCP, OSWP

2 minute read

This post a brief description of the discovery and development of CVE-2020-10557.

Background

AContent is a free web content and authoring tool made by the same authors as Atutor. This application has a history of vulnerabilities on Exploit-db, thus I expected to find more in the newest release. For the purposes of CVE testing, I aim to avoid accounts with administrator privileges to better gauge just how much damage a malicious low privileged user could accomplish. Conveniently, AContent allows for open registration of both student and teacher accounts. Since the teacher accounts have slightly more privileges, I decided to use that account.


Figure 1: Registration Page with Check Box for Content Creator Account

After further exploration of the site I discovered an area for file uploads, always a great place to begin looking for unusual behavior or potential vulnerabilities. Shortly after trying some combinations of file extension bypass payloads, I determined that both .php7 and .phtml were not rejected by the web application. Thus, one could upload a malicious web shell in order to execute commands against the web server.


Figure 2: Successful File Upload Restriction Bypass and RCE

The Exploit

Great, so now we at least know we have a CVE for unrestricted file upload leading to RCE; however, with this CVE I wanted to try something a little different. I wanted to attempt to script a fully functional exploit to allow a user to execute commands against the server via their terminal without needed to manually exploit.

After struggling for way too long with Python3 and troubleshooting silly typos, I eventually got a semi-functional exploit working. I say “semi-functional” as there are two caveats. First, the user must supply a valid session cookie via command line parameters, meaning they must log in and determine this using document.cookie. Originally my aim was to simply pass username and password into the exploit via command line; however, I encountered some errors that I was unable to troubleshoot and thus determined using the cookie would be simpler. Second, the user must also know their author number. This number can easily be determined with Burp Suite. Alternatively, it can be brute forced as the number simply increments by 1 with each new account created, thus one could script the exploit until they see a successful completion. The completed exploit can be found here.

Now, without further delay, I present CVE-2020-10557!

python3 cve-2020-10557.py -url http://192.168.0.21/AContent/ -cookie 58n37v64bq3teoi097koae8f01 -author 9


Figure 3: Successful Exploitation via Command Line

Impact

After reaching out to the developer, I saw that this project has been unmaintained for two years. I highly recommend that the two live websites still running AContent find another web application to meet their needs.


Figure 4: Sites running AContent

Acknowledgements

I would like to thank m0rph-1 and Tib3rius for putting up with all my amateur Python coding questions.

Hits

You May Also Enjoy

Two Years of Bug Bounty Hunting

7 minute read

Two years ago this month, I created my first bug bounty account on Bugcrowd. I decided to try my hand at bug bounty hunting for a number of months. As outlin...

XXE Case Studies

4 minute read

As it has been some time since my last blog post, I decided I would set aside some time to write one now. The topic of this blog post is inspired by a bug I ...

OSEP & PEN-300 Course Review

8 minute read

I am proud to have completed Offensive Security’s Evasion Techniques and Breaching Defenses (PEN-300) course. After successfully passing the 48-hour exam, I ...

Bug Hunting Thoughts & Statistics

2 minute read

Today marks a huge personal milestone in my bug bounty hunting career. I have achieved an all-time ranking of top 100 on Bugcrowd. This accomplishment comes ...