
Product Owner: Ilch – Content Management System
CVE ID – CVE-2019-17046 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17046 )
Type: Installable/Customer-Controlled Application
Application Name: ilchCMS 2.1.22
Severity: Critical
Authentication: Required
Complexity: Complex
Vulnerability Name: Insecure File upload and Local file inclusion to remote code execution – Ilch CMS Admin Modules
Vulnerability Explanation:
Browsers Verified In:
Firefox 68.0.2 (64-bit)
Impact:
Local File Inclusion – aka LFI – is one of the most common Web Application vulnerabilities. If conducted successfully, It might allow attackers to read sensitive information, access configuration files or even execute system commands remotely.
An application is vulnerable every time a developer uses the include functions, with an input provided by a user, without validating it. An attacker could easily exploit such a mistake. The main goals of the attacker would be:
- An in depth information gathering (user enumeration, sensitive files, credentials and more).
- A reverse shell to the target machine.
Log Poisoning:
Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.
As the PHP statement “include” also evaluates the input, an inclusion of a malformed file would be evaluated too. If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.Such injections were taking place over the server log files. Such files are the Apache error log, the Access log and more.
Php info:

As shown, we were able to load the PHPInfo file, meaning that our code was executed. Let’s now attempt to execute the proper commands and receive a reverse shell from the target machine.
For the following Php-oneliner payload to execute system commands:
<?php echo shell_exec($_GET[‘e’].’ 2>&1′); ?>
LFI: Local File Inclusion using insecure file upload
Insecure file upload – Allows to add .php extension in the allowed file section (Media module -> settings -> Allowed File -> php
url : http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

Shell.php

Ipconfig:

Reverse shell:
Using netcat we can gain reverse shell payload.
Revershell payload used:

Payload – https://github.com/Dhayalanb/windows-php-reverse-shell.git
Remote Code Execution: Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located
By listening on port 1234 we can see that a Admin shell has been received.
Affected url :
http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index
http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/index/index
http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

Twitter – https://twitter.com/the_pr0fess0r_
NickName: 4n4nd
Pingback: Vulnerability Summary for the Week of September 30, 2019 | a