Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticated Remote code Execution #7

Closed
Debaibi opened this issue Nov 1, 2019 · 5 comments
Closed

Authenticated Remote code Execution #7

Debaibi opened this issue Nov 1, 2019 · 5 comments

Comments

@Debaibi
Copy link

Debaibi commented Nov 1, 2019

Affected software: CuppaCMS

Type of vulnerability: Remote code execution

Discovered by: Yosri Debaibi

Description:

The file manager option allows admin users to upload images to the application, the rename function could be altered by the users, An authenticated attacker is able to upload a malicious file within an image extension (jpg,jpeg,png ..) and through a custom request using the rename function provided by the file manager is able to modify the image extension into php as a result executing php codes .

Proof of concept:

Step1: Login to the cuppa cms.

Step2:URL:http://127.0.0.1/cuppa/administrator/

Go to the File manager.
Screenshot from 2019-11-01 17-18-32

Step3: Upload our malicious php file with image extension in Upload_files.

im

Once it is uploaded the file is renamed with "evil_1572625596.jpg" which it is located in media/upload_files/evil_1572625596.jpg
as shown in the figure below
Screenshot from 2019-11-01 17-27-08

Step4: We launched our proxy to intercept the request then we will rename our file to evil.php using rename button in the file manager.

Screenshot from 2019-11-01 17-34-58

Step5: We deleted the jpg extension from "to:/upload_files/evil.php.jpg" parameter to change our file name to evil.php and forward the request to the server.

Screenshot from 2019-11-01 17-36-24

Step6: We had successfully uploaded our evil.php in the server.

Screenshot from 2019-11-01 17-38-05

we executed our payload by accessing the url below
http://127.0.0.1/cuppa/administrator/media/upload_files/evil.php
PHP code is executed.
im2

@tufik2
Copy link
Contributor

tufik2 commented Nov 6, 2019

Hi, tanks to report this issue, will be solved ASAP

@Debaibi
Copy link
Author

Debaibi commented Nov 8, 2019

Does any fix added for this?

We would like to report this to CVE Mitre for registering it with a CVE ID.

Look forward to your response.

@tufik2
Copy link
Contributor

tufik2 commented Nov 12, 2019

Hi, this bug has been fixed

@tufik2 tufik2 closed this as completed Nov 12, 2019
@tufik2
Copy link
Contributor

tufik2 commented Nov 13, 2019 via email

@honyui
Copy link

honyui commented Dec 10, 2020

这个漏洞还纯在,只要通过delete,删除.htaccess,还是,可以执行.php文件

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants