POC详情: 13813fb1dd8608b0dc858003dbb9b0841d63b322

来源
https://github.com/hacip/CVE-2023-33404
关联漏洞
标题: BlogEngine 代码问题漏洞 (CVE-2023-33404)
描述:BlogEngine是一套开源的ASP.NET博客系统。该系统支持Ajax评论、自定义主题等。 BlogEngine.NET 3.3.8.0及之前版本存在安全漏洞,该漏洞源于存在无限制上传漏洞,允许远程攻击者执行远程代码。
介绍
# CVE-2023-33404

A user who has EditOwnPosts right on BlogEngine.NET CMS (version 3.3.8.0 and earlier) has the ability to upload a malicious file to a hard-coded location.

POST request to /api/upload endpoint with "action=video" parameters, as shown in the screenshot below, triggers a file upload process.

![1](https://github.com/hacip/CVE-2023-33404/assets/10704979/aba6685b-9ab4-4e19-91df-c4d943ead38c)


The application, first, checks if the user has EditOwnPosts rights to proceed with the video upload, otherwise, the application rise an error.

As depicted in the screenshot below, on lines 101 and 105, the application sets a hard-coded location for files being uploaded. After that, it calls a function named UploadVideo (on line 107)

![2](https://github.com/hacip/CVE-2023-33404/assets/10704979/60931195-71a5-4750-b6bd-789093ded2bc)


The UploadVideo function. checks if the target directory exists, creates it if it does not, and saves the file to the directory.

![3](https://github.com/hacip/CVE-2023-33404/assets/10704979/6b0be06b-8724-47ce-9f7a-382e800dd2c3)

As depicted in the screenshot below, it moves the malicious file to the hardcoded directory. Requesting the file that was uploaded leads RCE.

![4](https://github.com/hacip/CVE-2023-33404/assets/10704979/583fd07c-aa37-45ea-8798-f64f1ee0075d)
文件快照

 [4.0K]  /data/pocs/13813fb1dd8608b0dc858003dbb9b0841d63b322
└── [1.3K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。