Posted on Leave a comment

Webnms framework file upload exploit

Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
 Set the meterpreter payload as shown below.
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.