来源

关联漏洞

描述

RCE  exploit for low privileged user via CSRF in open-webui 

介绍

# CVE-2024-7808 :skull:
 $${\color{red} THIS \space EXPLOIT \space MAY \space VIOLATE \space THE \space LAW.}$$ 
 $${\color{red}\space YOU \space ARE \space RESPONSIBLE  \space FOR \space YOUR \space ACTIONS.}$$ 
 $${\color{red}DEMONSTRATION \space PURPOSE \space ONLY.}$$

## DESCRIPTION

[RCE by Non-Admin Users via CSRF in open-webui](https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8) which
allow attacker to send malicious HTML document with build-in javascript that will upload and execute file contains revers 
shell.

Before main stage script starts web server to give HTML document with multipart form data submission  and netcat listener. 
Next, upload document to the vulnerable site and on page load event javascript  will upload file contains python revers 
shell. If everything is fine you'll receive revers shell in the terminal. Also, if directory listing is 
visible you can visit page and try to manually check file uploading process and debug.

## Preparation
1. Clone project
```git clone https://github.com/theUnknownSoul/CVE-2024-7806```
2. Change right for ```install.sh``` script and run from root to install all necessary dependencies
and rights.
3. Change port for web server and netcat listener in ```serve.sh``` script if needed.
4. Change IP and server port for reverse shell in a ```non_suspicious_file.py```. 
5. Install dependencies with ``` pip install -r requirements.txt```

## Usage
```
python CVE-2024-7806.py -u <target url>
```

文件快照

 [4.0K]  /data/pocs/dbf49c5091bd9aefb8db496a54a5343002a930fe
├── [2.4K]  CVE-2024-7806.py
├── [1.2K]  install.sh
├── [1.5K]  non_suspicious_file.py
├── [1.4K]  README.md
├── [  16]  requirements.txt
├── [ 311]  serve.sh
└── [6.3K]  shell-uploader.html

0 directories, 7 files

备注