Is is possible to download arbitrary files on the server, using a path
traversal vulnerability. Indeed, the "download as PDF” features performs a non-recursive filtering of the string "../”, leading to a possible recursive string "..././” that will result in a parent folder escalation. By exploiting this vulnerability, an attacker is able to download the config/uuid file which contains the encryption key of the token, and get an administrator access. Remediation: One should do a recursive cleaning of the parameter string, as long as "../” pattern is there in thw URL.
Vulnerability 2 : SQL injection
PostGreSQL, as a fully featured programming language, allows much more
procedural control than SQL, including the ability to use loops and other control structures. SQL statements and triggers can call functions created in the PL/pgSQL language. Since version 9.3, new functionality was implemented. This allows the database superuser, and any user in the 'pg_execute_server_program’ group to run arbitrary operating system commands. In combination with a stacked query SQL injection found in the source code of Soapbox, an attacker is able to run arbitrary commands on the system using the following /admin/users/category?id= 1 Remediation: User inputs needs to be sanitized before SQL query is sent to the SQL database to fetch the data.
Below are the steps to perform Remote Code Execution.
1. Create an account on the site
2. Log in onto Soapbox and enable the "Remember me” feature 3. Extract the Remember me cookie 4. Download the config UUID file with the link /download?id=..././conf/uuidto bypass the ../ filter 5. Decrypt the cookie with the UUID key 6. Change the ID of the decrypted cookie and encrypt the token 7. Change the cookie in the browser with the new one 8. Perform PostGreSQL Remote Code Execution using stacked queries injection in the /admin/users/category?id=1 URL
Host : Akount Vulnerability 1 : Type Juggling
The source code of the application uses a loose comparison in the reset password process.
@UN5TABLE The lack of a specific type means that PHP operates on a "best-guess” principle (called type juggling), where PHP converts the value of a variable to the most appropriate type for the action being carried out. For example, the following assertion is true, because 0123456 is equal to 0666: if "0e123456” == "0e666" In combination with the bruteforce of a magic hash, a anonymous attacker is able to reset any account password, including administrator's password. Remediation: Perform a strict comparison with the use of === instead of ==. Furthermore, truncation of a hash is not recommended.
Vulnerability 2 : Arbitrary File Upload
Once authenticated as an administrator, it is possible to upload an arbitrary
file using the "Upload invoice” feature. The source code perform an extension-based filter, using a blacklist. This blacklist misses several extensions, for example .php3 .php4, .php6 and One attacker can upload a malicious file (reverse PHP shell) using the extens a .htaccess file to enable the PHP execution on the server. Remediation: The application must check for the content-type of the file being upload along with its extension.
Proof of Concept :
1. Exploit_file.py
#!/usr/bin/env python import requests, re, time, sys
attacker_ip = sys.argv[1] # Mein IP target = "http://TODO" # The target
email = "admin@akount.tld" # email for admin password = 'MeinP4ssword' # password for admin ts = int(time.time())
Below is the methodology to perform Remote Code Execution .
1. We ask for a password reset of the administrator
2. Perform a request to the link /reset/1/<timestamp>/0e123456to expect a magic-hash type juggling on the reset token 3. If the link is rejected, return to 1. 4. If the link is valid, change the administrator password 5. Log in as administrator 6. Upload a reverse shell with PHP6 extension to bypass the filter 7. Upload a .htaccess file to make Apache run the script 8. Perform a request to the PHP reverse shell
