Open Source Social Network 6.3 — Authenticated Unrestricted File Upload (Theme)

Description

#OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/theme_installer. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Proof of Concept

First, log in as admin on the administrator page.

http://<IP>/ossn/administrator

Proceed towards to menu Themes > installer.

http://<IP>/ossn/administrator/theme_installer

Download the theme to our local machine. In this case, I’m using the Fake book theme.

https://www.opensource-socialnetwork.org/component/view/2243/fake-book

When unzipping the theme that we download, we will find the ossn_theme.php file in the directory of the theme.

It looks like we can change the content of the ossn_theme.php file to PHP reverse shell.

Next, Generate the PHP reverse shell in type PHP PentestMonkey from www.revshells.com.

Edit content of ossn_theme.php to PHP reverse shell.

Create an archive in type zip that contains the directory of themes.

Proceed towards to menu Themes > installer and click on the Browse button.

http://<IP>/ossn/administrator/theme_installer

Choose the archive that we create.

Next, let’s click on the Upload button.

Now, our theme with the malicious files is all ready to use.

Using netcat to listen for TCP connections on port 443.

Direct access to ossn_theme.php file that we edit the content to PHP reverse shell via the link following.

http://<IP>/ossn/themes/facebook/ossn_theme.php

http://<IP>/ossn/themes/facebook/ossn_theme.php

Bravo!, We get the system shell on the web server which uses Open Source Social Network 6.3.

Author

Grim The Ripper Team by SOSECURE Thailand