Pluck-4.7.15 admin background exists a remote command execution vulnerability when uploading files #98
Comments
|
Could you please retest with this version? |
Ok, after testing, I can't delete ".htaccess". |
|
But I don't think it's good enough to use ".htaccess" to block access to ".php" type files, because it only works in apache and if I use nginx I can ignore it. |
|
How would you resolve this for ngnix? |
The core of the solution is to make the upload folder unexecutable. My idea is to let the user choose whether the server is apache or nginx when installing the program, and if it is nginx, the program automatically or the user manually modifies the nginx configuration to make the upload folder unexecutable. Finally add a detection function to disallow the installation if the folder is executable. Sorry, I'm not a professional developer and not good at development, so I don't know if my idea is possible. |
|
The folder and the contents is not executed, PHP parses a php file and is the executer, not the file itself. that is why the .htaccess file disables php engine as a whole. |
Can the php installer modify nginx.conf? |
|
It would be very bad if this would be possible since the install.php is just a script which lives as part of the website. The config of the webserver should not be available for the install script. |
Well, I don't have a good solution for now, I'll contact you later when I think of one. |
I was able to successfully bypass and delete the .htaccess. Adding "/" to the file name successfully bypasses the restriction and removes the .htaccess. |
|
Could you perform a retest with the latest dev version? |
I uploaded any file in the "manage files" section, here I uploaded a "1.jpg".
Found two files at the upload folder.
Looked at the source code for the delete file function. On lines 21 and 22 of "data/in/deletefile.php", the logic is that the file ".htaccess" is not allowed to be deleted. But it can be bypassed.
I clicked on the delete button on the page for "1.jpg" and sniffered the packet.
Change the value of the request parameter "var" to ".Htaccess" (the suffix name is not case sensitive in Windows)
".Htaccess" is already in the trash.
The ".htaccess" in the upload folder has been copied to the trash folder.
Looked at the source code for the upload function, lines 34 to 52 of "data/in/file.php".
The code logic is as follows.
Use race condition for attacks.
First I create a "phpinfo.php" file.
poc:
Upload the file and sniffer a packet of the upload request and send it to intruder (add variable a=1 to keep sniffering the request packet).
Then sniffer a packet that accesses the file and send it to intruder.
Both intruder types are selected as "Numbers" and the number is 10000.
Threads are set to 20.
Start the attack, when the status of the request to access the file is 200, it means that the file was uploaded successfully and the code was executed.
Upload webshell with race condition and successfully gain access to the server.
exploit:
(Note: the ".php" file only exists when the race condition is in place, if the race condition is stopped the ".php" file will still be a ".php.txt" file, so the shell will disconnect. The shell will then disconnect. (So maintaining permissions requires that race condition be maintained at all times)
From: huanyu@tsign.cn
The text was updated successfully, but these errors were encountered: