search

jbroadway / elefant

Elefant, the refreshingly simple PHP CMS and web framework.
http://www.elefantcms.com
MIT License
208 stars 39 forks source link

ElefantCMS 2.2.7 has a Remote Code Execute Vulnerability #326

Closed youyou-pm10 closed 1 year ago

youyou-pm10 commented 1 year ago

Vulnerable path /apps/filemanager/handlers/upload/drop.php

Vulnerable Codes

Line 50 of the "drop.php" use a vulnerable black list, ".(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i", The ext ".php." has Remote Code Execute Vulnerability in the windows system .

Line 61 of the "drop.php" use a vulnerable waf, because server is running under Windows system that does not allow to set the executable flag. code

Vulnerability exploitation process:

Log in "/admin",then find a token in the js of "filemanager/util/browser" and request "/filemanager/upload/drop". js poc:

<html>
<head>
<meta charset="utf-8">
</head>
<body>
<form action="[http://your ip/filemanager/upload/drop"](http://192.168.152.141/filemanager/upload/drop%22) method="post" enctype="multipart/form-data">
    <input type="file" name="file" value="1.php."><br>
    <input type="text" name="path" value="."><br>
    <input type="text" name="_token_" value="get it on the js"><br>
    <input type="submit" name="submit" value="submit">
</form>
</body>
</html>

poc You can exploit the vulnerability to execute remote code in the server. webshell

youyou-pm10 commented 1 year ago

In fact,the windows system will delete all dots after last word.I understand the fixing by regex because of it.But is not a better idea,I can use ".php ."(a space and a dot) demo windows

youyou-pm10 commented 1 year ago

That mean the fixing by trim is better,not the fixing by regex.Thanks for your reply.

lux commented 1 year ago

That mean the fixing by trim is better,not the fixing by regex.Thanks for your reply.

Ah, I see. I just modified it to filter by trimming instead. Let me know if that fixes it for you. Thanks!

youyou-pm10 commented 1 year ago

In finnal additon,it still has some vulnerabilities in the windows system. (1)Alternate data streams. I can use ext ".php::data" in the windows system. (2)The diffrence of the file system between win and linux. a. The double quotes will be "." file '1"php' is equal to '1.php' b. The angle brackets,“<" and ">"will be "*" and "?". But a file named "1.<<<" just override "1.php" or "1.xxx",it can't create new file.So it is safe if has not php and so on. Follow text is just weak,but is safe at now. Warning: file ”1.php:2.jpg" will create a file "1.php" without its content,but I can do next step by "1.<<<".If has not "<>",it is safe. Notice: the file ".user.ini" with content "auto_prepend_file = anyflie" is equal to "include('anyfile')",but at now is safe because your folder has not php. You can fix it or never put php file in the folder. That' all,I think it's very safe after updating.

lux commented 1 year ago

I just added a check for invalid characters to prevent the upload. The list includes ?*<>:|\/" although that may not be exhaustive.

youyou-pm10 commented 1 year ago

Good idea

lux commented 1 year ago

Thanks again for reporting this!