CVE-2019-16113
published 2019-09-08CVE-2019-16113: Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code…
PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.96%
99.5th percentile
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bludit | bludit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /admin/ajax/upload-images with a uuid parameter containing directory traversal sequences (e.g., ../../tmp) ↗
- →Alert on upload of a .htaccess file via the image upload endpoint containing 'AddType application/x-httpd-php' to enable PHP execution of image files ↗
- →Monitor for HTTP GET requests to /bl-content/tmp/*.jpg or /bl-content/tmp/*.png which may indicate webshell trigger attempts after exploitation ↗
- →Detect the X-Requested-With: XMLHttpRequest header combined with multipart POST to /admin/ajax/upload-images as a characteristic of exploit tooling ↗
- →Detect PHP code embedded in files with .jpg or .png extensions uploaded to the Bludit image upload endpoint ↗
- ·The directory traversal payload in the uuid parameter targets /bl-content/tmp by default, but the exploit can write to arbitrary server paths depending on the traversal depth used ↗
- ·The .htaccess bypass technique requires the Apache server to have AllowOverride enabled for the target directory; environments without this setting may not be exploitable via this method ↗
- ·The exploit affects Bludit versions >= 3.9.2; the Metasploit module specifically targets v3.9.2 but the directory traversal issue is present in later versions as well ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Bludit 3.9.2 - Directory Traversal
exploitdb·2020-07-26·CVSS 8.8
CVE-2019-16113 [HIGH] Bludit 3.9.2 - Directory Traversal
Bludit 3.9.2 - Directory Traversal
---
# Title: Bludit 3.9.2 - Directory Traversal
# Author: James Green
# Date: 2020-07-20
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: 3.9.2
# Tested on: Linux Ubuntu 19.10 Eoan
# CVE: CVE-2019-16113
#
# Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699
#### USAGE ####
# 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP
# 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir
# 3. Run the exploit
# 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc
# 5. Visit your target web app and open the evil picture: v
Exploit-DB
Bludit 3.9.12 - Directory Traversal
exploitdb·2020-06-09·CVSS 8.8
CVE-2019-16113 [HIGH] Bludit 3.9.12 - Directory Traversal
Bludit 3.9.12 - Directory Traversal
---
# Exploit Title: Bludit 3.9.12 - Directory Traversal
# Date: 2020-06-05
# Exploit Author: Luis Vacacas
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: >= 3.9.12
# Tested on: Ubuntu 19.10
# CVE : CVE-2019-16113
#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import re
import argparse
import random
import string
import base64
from requests.exceptions import Timeout
class Color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'
banner = base64.b64decode("4pWU4pWXIOKUrCAg4pSsIOKUrOKUjOKUrOKUkOKUrOKUjOKUrOKUkCAg4pWU4pWQ4pWX4pWmIOKVpuKVlOKVl+KVlA
Exploit-DB
Bludit - Directory Traversal Image File Upload (Metasploit)
exploitdb·2019-11-20
CVE-2019-16113 Bludit - Directory Traversal Image File Upload (Metasploit)
Bludit - Directory Traversal Image File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Bludit Directory Traversal Image File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Bludit. A remote user could abuse the uuid
parameter in the image upload feature in order to save a malicious payload anywhere
onto the server, and then use a custom .htaccess file to bypass the file extension
check to finally get remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'christasa', # Original discovery
'sinn3r' # Metasploit module
],
'References' =>
[
['CVE', '2019-16113'],
['URL', 'https://github.com/bludit/bludit/iss
Metasploit
Bludit Directory Traversal Image File Upload Vulnerability
metasploit
Bludit Directory Traversal Image File Upload Vulnerability
Bludit Directory Traversal Image File Upload Vulnerability
This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution.
http://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.htmlhttp://packetstormsecurity.com/files/157988/Bludit-3.9.12-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/158569/Bludit-3.9.2-Directory-Traversal.htmlhttps://github.com/bludit/bludit/issues/1081http://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.htmlhttp://packetstormsecurity.com/files/157988/Bludit-3.9.12-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/158569/Bludit-3.9.2-Directory-Traversal.htmlhttps://github.com/bludit/bludit/issues/1081
2019-09-08
Published