Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-33404 PoC — BlogEngine 代码问题漏洞

Source
https://github.com/hacip/CVE-2023-33404
Associated Vulnerability
Title:BlogEngine 代码问题漏洞 (CVE-2023-33404)
Description:An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.
Readme
# CVE-2023-33404

A user who has EditOwnPosts right on BlogEngine.NET CMS (version 3.3.8.0 and earlier) has the ability to upload a malicious file to a hard-coded location.

POST request to /api/upload endpoint with "action=video" parameters, as shown in the screenshot below, triggers a file upload process.

![1](https://github.com/hacip/CVE-2023-33404/assets/10704979/aba6685b-9ab4-4e19-91df-c4d943ead38c)


The application, first, checks if the user has EditOwnPosts rights to proceed with the video upload, otherwise, the application rise an error.

As depicted in the screenshot below, on lines 101 and 105, the application sets a hard-coded location for files being uploaded. After that, it calls a function named UploadVideo (on line 107)

![2](https://github.com/hacip/CVE-2023-33404/assets/10704979/60931195-71a5-4750-b6bd-789093ded2bc)


The UploadVideo function. checks if the target directory exists, creates it if it does not, and saves the file to the directory.

![3](https://github.com/hacip/CVE-2023-33404/assets/10704979/6b0be06b-8724-47ce-9f7a-382e800dd2c3)

As depicted in the screenshot below, it moves the malicious file to the hardcoded directory. Requesting the file that was uploaded leads RCE.

![4](https://github.com/hacip/CVE-2023-33404/assets/10704979/583fd07c-aa37-45ea-8798-f64f1ee0075d)
File Snapshot

 [4.0K]  /data/pocs/13813fb1dd8608b0dc858003dbb9b0841d63b322
└── [1.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →