Finally we found out we had the possibility of using “-c” parameter, thus “nc -c bash -nlvp 9999” successfully runs.įix: The vendor pushed a fix to their github blocking the use of “–“ characters: Īfter the version 12.0.4 is also published on: Disclosure Timelineġ3 December 2020 - Released Dolibarr 12.0. C:UsersAdministratorDesktopToolsncat>ncat.exe -exec cmd.exe -vnl 9999 -allow 10.0.0.254.
Yet, hold on “nc -nlvp 9999 -e cmd.exe” should successfully run on Windows yet “nc -nlvp 9999 -e /bin/bash” was not allowed (bacuase of the slash (/) character being filtered.Ī new challenge was again in front of us. Unencrypted bind shell from windows to the attacker machine.
I totally forgot and missed the famous “-e” parameter. Once I was about to share my findings with Exploit-db, one of our team members warned me about netcat listener being not interactive shell. This allowed me having a netcat listener.
Fully-Interactive-Reverse-Shell Netcat 'the Swiss army knife of networking' For Windows: Requirements Via Powershell Procedure- Server Side: Client Side: NOTE: For Linux Requirements For mac : Via terminal Procedure- Server Side: Client. Thus I was capable of running command shell with the following payload: GitHub - 249KING/Fully-Interactive-Reverse-Shell: Fully Interactive Reverse Shell for both Windows and Linux. It is possible inject bash commands as part of this paramater without violating escapeshellcmd. Tar command has a special parameter called “–use-compress-program”. Yet the function here running in the background was “tar” command. This function successfully escapes characters such as There are other PoC available in GitHub, that demonstrates the same from a. When I analyzed the source code, I realized that escapeshellcmd Php utility command was used to sanitize the input. Note that, you can also host the DLL on a CIFS share (if using windows). I tried many different vectors and encodings. With the inquiry of command injection, on admin dashboard page, I clicked on button “Generate Backup” while Gzip option was selected and while Burpsuite was intercepting the traffic. So, was it possible to inject code?Ĭhallenge #2: Triggering Command Injection:
Before you proceed with building a static version of Ncat, we strongly recommend building a normal, dynamic build of Ncat first, just to get the hang of it or spot. With this assumption in mind, when I clicked on “Generate Backup” button, I concretely saw that indeed tar command was in action. The resulting binary, ncat.exe, can be run as a standalone executable, with no runtime dependencies, across all versions of Microsoft Windows starting from Windows XP to Windows 10. This had to be somehow related to “tar” command. When analyzing the Dolibarr app, I realized that it was backing up the files and compresses them. An attacker who has the access the admin dashboard can manipulate the backup function by inserting payload into the file name and thus triggering command injection on target system.
Open source ERP-CRM Dolibarr 12.0.3 is vulnerable to authenticated Romote Code Execution Attack. Dolibarr 12.0.3 Authenticated RCE Vulnerability