GiongfNef
  • 📧Readme
  • 💰Bug Bounty
    • Business Logic: Bypass 2FA to ATO
    • 1 Click Account Take Over
  • 🥑CVE
    • CVE-2024-40492: Stored XSS to ATO
    • CVE-2023-5311
  • ☕Writeup CTF
    • Crypto
      • dvCTF 2022
      • Crew CTF 2022
      • ångstromCTF 2022
      • picoCTF 2022 + wscCTF 2022
      • Securinets CTF Quals 2022
      • NsuCrypto
      • KMA chall 2022
      • SEETF 2022
      • just CTF 2022
      • zer0pts CTF 2022
    • Web
      • ASCIS 2022 - warm up
      • RISEC CTF + UMass CTF 2022
      • LIT 2022
      • UIUCTF 2022
      • nullcon CTF2022
      • 🎃Hack The Boo 2022
    • Writeup Intigriti challenge-0923
  • 🍄Linh tinh ký sự
    • 📚Books
    • note linh tinh
      • 🐞Bug logic Shopee: Giảm 5-10% khi mua sản phẩm ?
      • 💎Financial Aid Application for Coursera
  • 🫖Wargame && Others
    • 🍀OverTheWire: Bandit
      • 🌱OverTheWire: Bandit 2022 (new)
      • 🍃OverTheWire: (old) - Bandit
      • Writeup EVABSv5.apk (12levels)
    • 📲Android
      • 📲Writeup EVABSv5.apk (Solution 12 levels)
      • 🎮Writeup droids PicoCTF - (Solution 5 levels)
    • 🌵Rootme
      • 🏝️Web - Server
      • 📟App - System
        • 🎰ELF x86 - Format string bug basic 1
        • 🐰ELF x86 - Stack buffer overflow basic 1
        • 🦊ELF x86 - Stack buffer overflow basic 2
        • 🐻ELF x86 - Stack buffer overflow basic 3
        • 🐼ELF x86 - Stack buffer overflow basic 4
        • 🐧ELF x86 - Stack buffer overflow basic 6
    • 🏆Pentest
    • 🖇️Blockchain
Powered by GitBook
On this page
  • Description
  • Analysis
  • POC
Edit on GitHub
  1. CVE

CVE-2023-5311

Note : A JOURNEY TO GAIN KNOWLEDGE

Missing Authorization to .htaccess File lead to RCE

Description

The minimum permission that a subscriber should have typically doesn't include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server.

Analysis

  • In the register function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess_root, htaccess_includes, and htaccess_content.

if (!empty($_POST['save_root'])) {
    if (isset($_POST['wp_extra']['htaccess_root'])) {
        $htaccess_root = trim(stripslashes($_POST['wp_extra']['htaccess_root']));
        if ($htaccess_root) {
            @file_put_contents($path_root, $htaccess_root);
        } 
if (!empty($_POST['save_content'])) {
    if (isset($_POST['wp_extra']['htaccess_content'])) {
        $htaccess_content = trim(stripslashes($_POST['wp_extra']['htaccess_content']));
        if ($htaccess_content) {
            if (!file_exists($path_content)) {
                @file_put_contents($path_content, $htaccess_content);
            }
        } else {
            unlink($path_content);
        }
    }
}
if (!empty($_POST['save_includes'])) {
    if (isset($_POST['wp_extra']['htaccess_includes'])) {
        $htaccess_includes = trim(stripslashes($_POST['wp_extra']['htaccess_includes']));
        if ($htaccess_includes) {
            if (!file_exists($path_includes)) {
                @file_put_contents($path_includes, $htaccess_includes);
            }
        } else {
            unlink($path_includes);
        }
    }
}

POC

Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.

PreviousCVE-2024-40492: Stored XSS to ATONextCrypto

Last updated 1 year ago

Thanks for reading, have a nice day

🥑
❤️