Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-45771 PoC — Pwndoc 安全漏洞

Source
https://github.com/p0dalirius/CVE-2022-45771-Pwndoc-LFI-to-RCE
Associated Vulnerability
Title:Pwndoc 安全漏洞 (CVE-2022-45771)
Description:PwnDoc是一个应用软件。渗透测试报告生成器。 Pwndoc v0.5.3版本存在安全漏洞,该漏洞源于组件/api/audits 中存在问题,允许攻击者通过上传精心制作的审计文件来提升权限并执行任意代码。
Description
Pwndoc local file inclusion to remote code execution of Node.js code on the server
Readme
![](./.github/banner.png)

<p align="center">
  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
  <br>
</p>

Pwndoc local file inclusion to remote code execution of Node.js code on the server, discovered by [@yuriisanin](https://github.com/yuriisanin)

## Features

 - [x] Custom Node.js code to execute server-side using `--payload-file`
 - [x] Cleanup after exploit

## Requirements

 - [x] An admin account on the PwnDoc instance

## Usage

```
$ ./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -h
CVE-2022-45771 Pwndoc-LFI-to-RCE v1.1 - by @podalirius_

usage: CVE-2022-45771-Pwndoc-LFI-to-RCE.py [-h] -u USERNAME -p PASSWORD -H HOST [-P PORT] [-v] [--http] [-f PAYLOAD_FILE]

Poc of CVE-2022-45771 Pwndoc-LFI-to-RCE

options:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        Pwndoc username
  -p PASSWORD, --password PASSWORD
                        Pwndoc password
  -H HOST, --host HOST  Pwndoc ip
  -P PORT, --port PORT  Pwndoc port
  -v, --verbose         Verbose mode. (default: False)
  --http                HTTP mode. (default: False)
  -f PAYLOAD_FILE, --payload-file PAYLOAD_FILE
                        File containing node.js code to run on the server.
```

## Demonstration

```
./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -u admin -p 'Admin123!' --host 127.0.0.1 --payload-file files/exploit.js
```

https://user-images.githubusercontent.com/79218792/207442497-3228c436-5755-4a9a-9931-b23402dc9e86.mp4

## References
 - Issue https://github.com/pwndoc/pwndoc/issues/401 by [@yuriisanin](https://github.com/yuriisanin)
 - https://www.youtube.com/watch?v=jffBkEdF7RY
File Snapshot

 [4.0K]  /data/pocs/1ea55487e35223fe69619c763385b5da35b5ac73
├── [ 18K]  CVE-2022-45771-Pwndoc-LFI-to-RCE.py
├── [4.0K]  files
│   ├── [4.2K]  blanktemplate.docx
│   └── [ 478]  exploit.js
├── [1.9K]  README.md
├── [   8]  requirements.txt
└── [4.0K]  test_env
    └── [ 246]  start.sh

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.