CVE-2020-11819
published 2020-04-16CVE-2020-11819: In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.78%
97.8th percentile
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rukovoditel | rukovoditel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect LFI exploitation attempt: monitor POST requests to index.php?module=users/account&action=update where the fields[13] parameter contains path traversal sequences (e.g., '../../') instead of a legitimate language filename like 'english.php'. ↗
- →Detect arbitrary file upload to the attachments endpoint: monitor multipart POST requests to index.php?module=users/account&action=attachments_upload containing PHP files (e.g., Filedata field with a .php extension). ↗
- →Detect PHP webshell/reverse shell content uploaded disguised as image files (e.g., PNG files with appended PHP code using proc_open, shell_exec, exec, popen, system, passthru, fsockopen). ↗
- →Monitor GET requests to uploads/users/<sha1> or uploads/attachments/<date>/<sha1> paths that return HTTP 200 with PHP execution output, indicating successful LFI-to-RCE. ↗
- →The exploit uses a predictable SHA1-based filename derived from server timestamp and original filename (e.g., sha1(epoch_timestamp + '_' + original_filename)). Alert on brute-force enumeration of uploads/users/ or uploads/attachments/ with sequential SHA1 hashes. ↗
- →The attacker restores the language field to 'english.php' after exploitation to cover tracks. Correlate a fields[13] path-traversal update immediately followed by a revert to 'english.php' as a high-confidence attack sequence. ↗
- ·The exploit requires prior authentication (valid session cookie 'sid'). The attack surface is reduced if registration is disabled and credentials are not compromised, but the exploit author notes to check if the registration module is enabled as an initial access vector. ↗
- ·The uploaded file's SHA1 filename is derived from the server's Unix timestamp at upload time. The exploit brute-forces a ±52200-second window in 900-second steps, meaning detection of rapid sequential requests to the uploads directory is a reliable signal. ↗
- ·The verifyToken used during file upload is computed as md5(app_user_id + timestamp), where timestamp is attacker-controlled (hardcoded as 1337 in the shell exploit). Weak token validation enables the upload step. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Rukovoditel 2.6.1 - RCE (1)
exploitdb·2020-12-11·CVSS 9.8
CVE-2020-11819 [CRITICAL] Rukovoditel 2.6.1 - RCE (1)
Rukovoditel 2.6.1 - RCE (1)
---
# Exploit Title: Rukovoditel 2.6.1 - RCE
# Date: 2020-06-11
# Exploit Author: coiffeur
# Write Up: https://therealcoiffeur.github.io/c1010
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
# CVE: CVE-2020-11819
set -e
function usage () {
echo "NAME: Rukovoditel v2.6.1, RCE"
echo "SYNOPSIS: ./rce_2.6.1.sh "
echo "DESCRIPTION:"
echo "Upload file test.php on the remote server and trigger the file using a LFI"
echo "AUTHOR: coiffeur"
exit
}
if [ "$#" -ne 2 ]; then
usage
fi
BASE_URL=$1
SID=$2
echo "Setting target: $BASE_URL"
echo "Setting sid: $SID"
echo ""
echo "Extracting \$app_user['id']:"
APP_USER_ID=`curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | gre
Exploit-DB
Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)
exploitdb·2020-09-02·CVSS 9.8
CVE-2020-11819 [CRITICAL] Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)
Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)
---
#!/usr/bin/python3
# Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated)
# Exploit Author: @_danyx07
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: Rukovoditel -p you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code.
# Protip: remember to check if the registration module is enabled ;)
import sys
import requests
from bs4 import BeautifulSoup
import re
import base64
import argparse
import os
from shutil import copyfile
import datetime
import hashlib
import socket
import threading
import time
import random
import uuid
__version__ = '1.0'
parser = a
No writeups or analysis indexed.
2020-04-16
Published