Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-19859 PoC — OpenRefine 路径遍历漏洞

Source
https://github.com/WhiteOakSecurity/CVE-2018-19859
Associated Vulnerability
Title:OpenRefine 路径遍历漏洞 (CVE-2018-19859)
Description:OpenRefine是一款基于Java的开源工具,它主要用于加载数据、分析数据和清理数据等。 OpenRefine 3.5之前版本中存在目录遍历漏洞。攻击者可借助ZIP存档文件中的相对路径利用该漏洞在临时文件夹之外创建文件。
Description
CVE-2018-19859 Remote Code Execution Proof of Concept
Readme
# CVE-2018-19859 - RCE Proof of Concept

This repository contains a proof of concept for Remote Code Execution (RCE) against OpenRefine < 3.1-beta. By exploiting a directory traversal vulnerability inside of the Create Project functionality, [CVE-2018-19859](https://github.com/OpenRefine/OpenRefine/issues/1840), a malicious user can upload a custom Java extension to gain code execution.

This proof of concept contains a simple Java Reverse Shell which is activated when a user navigates to `{webroot}/extension/whiteoak/`.

## Installation

1. Grab a local vulnerable version of OpenRefine such as [version 2.8](https://github.com/OpenRefine/OpenRefine/releases/tag/2.8).
2. Clone this extension repository into the `openrefine/extensions/` directory.
3. Modify the `build.xml` file in the extensions directory to add a reference to the new extension.
4. Compile the extension with `./refine clean && ./refine build`
5. Generate the malicious zip archive using `evilarc_whiteoak.py` to create a zip slip archive of an entire directory. Ensure the webroot path is provided:
```bash
python3 evilarc_whiteoak.py -d 14 -p "{webroot directory}/openrefine/webapp/extensions/" whiteoak/
```
6. Upload the extension using the vulnerability described in CVE-2018-19859 via the Create Project functionality & restart the OpenRefine webserver.
7. Navigate to `{webroot}/extension/whiteoak/` and catch your new shell.


## Credits
@itsacoderepo for the [CVE details](https://github.com/OpenRefine/OpenRefine/issues/1840) on GitHub.

@ptoomy3 for the original [Zip Slip archive generation tool](https://github.com/ptoomey3/evilarc), which White Oak Security updated to python3 and added support for archiving directories.
File Snapshot

 [4.0K]  /data/pocs/947fe7ec3aa8f5d427dedd684d83b818ed8ab3f4
├── [4.0K]  evilarc_whiteoak.py
├── [1.7K]  README.md
└── [4.0K]  whiteoak
    ├── [2.5K]  build.xml
    ├── [4.0K]  module
    │   ├── [ 294]  index.vt
    │   ├── [ 290]  macros.vm
    │   ├── [4.0K]  MOD-INF
    │   │   ├── [1.2K]  controller.js
    │   │   └── [ 103]  module.properties
    │   ├── [4.0K]  scripts
    │   │   └── [1.5K]  project-injection.js
    │   └── [4.0K]  styles
    │       └── [1.5K]  project-injection.less
    └── [4.0K]  src
        └── [4.0K]  com
            └── [4.0K]  google
                └── [4.0K]  refine
                    └── [4.0K]  whiteoakExtension
                        └── [1.2K]  ReverseShell.java

10 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.