Description

Found authenticated Remote Code Execution (RCE) on pluck 4.7.15

While reading the source code found blacklisted extension are mentioned in the file (data/inc/files.php) at line 44 and 45. File upload function validating the file extension is match any one of the following extension (.php, php3, php4, php5, php6, php7, phtml, .phtm, .pht, .ph3, .ph4, .ph5, .asp, .cgi, .phar). If the extension matched then renaming the file with .txt extension at end.

And there is .htaccess file in files directory (upload file directory) where php_flag engine is disabled. So we can’t ale to execute the file in this directory

For successful exploitation we required to upload web shell without the forementioned extension and the file should not be in files directory. So I created a simple webshell with “.inc” extension and upload the file.

Login to the admin account. Use the following URL (http://192.168.0.211/admin.php?action=files) or navigate to pages -> manage files.

Upload the webshell with “.inc” extension.

We already know there is no restriction for file upload if the file extension is forementioned extension then it will renamed the file. So anyway our webshell will uploaded.

File uploaded try to execute the file. As guessed our file is not executed.

Now we need to move the file to some other directory. While analysing I found that trash directory doesn’t have any validation.

So deleting the file will move webshell to trash directory. So we can able to execute from trash directory.

Once the file is deleted then navigate to the following directory (http://192.168.0.211/data/trash/files/<fileName>) to execute our web shell.

Our web shell executing successfully.

Proof of Concept

// webshell.inc
<?php
if (isset($_GET['d'])) {
  eval(passthru($_GET['d']));
};

Impact

Complete server takeover using the uploaded webshell.