Hello, aspiring ethical hackers. In this article, you will learn about an arbitrary file upload vulnerability that was found in Webnms framework 5.2.
The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).
Here is the code vulnerable to arbitrary file upload.
Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
Set the meterpreter payload as shown below.
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
That’s all in File Upload in WebNMS Framework. Want to learn Ethical hacking in Real World scenarios. Subscribe to our Digital Magazine.
