RCE exploit for low privileged user via CSRF in open-webui # CVE-2024-7808 :skull:
$${\color{red} THIS \space EXPLOIT \space MAY \space VIOLATE \space THE \space LAW.}$$
$${\color{red}\space YOU \space ARE \space RESPONSIBLE \space FOR \space YOUR \space ACTIONS.}$$
$${\color{red}DEMONSTRATION \space PURPOSE \space ONLY.}$$
## DESCRIPTION
[RCE by Non-Admin Users via CSRF in open-webui](https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8) which
allow attacker to send malicious HTML document with build-in javascript that will upload and execute file contains revers
shell.
Before main stage script starts web server to give HTML document with multipart form data submission and netcat listener.
Next, upload document to the vulnerable site and on page load event javascript will upload file contains python revers
shell. If everything is fine you'll receive revers shell in the terminal. Also, if directory listing is
visible you can visit page and try to manually check file uploading process and debug.
## Preparation
1. Clone project
```git clone https://github.com/theUnknownSoul/CVE-2024-7806```
2. Change right for ```install.sh``` script and run from root to install all necessary dependencies
and rights.
3. Change port for web server and netcat listener in ```serve.sh``` script if needed.
4. Change IP and server port for reverse shell in a ```non_suspicious_file.py```.
5. Install dependencies with ``` pip install -r requirements.txt```
## Usage
```
python CVE-2024-7806.py -u <target url>
```
[4.0K] /data/pocs/dbf49c5091bd9aefb8db496a54a5343002a930fe
├── [2.4K] CVE-2024-7806.py
├── [1.2K] install.sh
├── [1.5K] non_suspicious_file.py
├── [1.4K] README.md
├── [ 16] requirements.txt
├── [ 311] serve.sh
└── [6.3K] shell-uploader.html
0 directories, 7 files