webnms file upload

All posts tagged webnms file upload

Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

webnmsfileupload0Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
webnmsfileupload00
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
webnmsfileupload1
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
webnmsfileupload2
 Set the meterpreter payload as shown below.
 webnmsfileupload3
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
webnmsfileupload4