677 Star 1.9K Fork 927

IBOS开源OA协同办公管理 / IBOS

 / 详情

The database backup has Command Injection Vulnerability

已完成
创建于  
2020-01-17 10:24

Test environment

os : windows;
IBOS version : IBOS 4.5.4 OPEN

Code analysis

The backup database function is in the code file IBOS\system\core\utils\Database.php with line 228.Then it will filter some file types and some sensitive characters.

test-1

in this function,another filter some sensitive characters in line 308.

test-2

finally,the run command code was begin in line 434,and it will run in line 453

test-3

Code to execute the command in line 453 is like this.The parameter $dumpFile will input this command string.

`{$mysqlBin}mysqldump --force --quick {$command1} --add-drop-table {$command2} {$command3} --host="{$db['host']}" {$command5} --user="{$db['username']}" --password="{$db['password']}" "{$db['dbname']}" {$tablesstr} > {$dumpFile}`;

Because some characters are not filtered, it can still cause command injection.

Vulnerability Test

login in the IBOS backstage,and enter the database function.For faster execution, only one of the data tables is selected for backup operation.

test-4

then you need to open the "more",and select as follows like this.

test-5

in this filename,you can input you want to run for command,and I run ipconfig like this.

test-6

payload

2020-01-17_exdEQ1ro&ipconfig>kkkkkk&ss

submit it and access url like this http://127.0.0.1/kkkkkk.You can see the results after the command is executed.

test-7

Solution

filter more sensitive characters.

评论 (0)

c0d1M4x 创建了任务
seekArt 任务状态从 待办的 修改为进行中
seekArt 任务状态从 进行中 修改为已完成
展开全部操作日志

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/ibos/IBOS.git
git@gitee.com:ibos/IBOS.git
ibos
IBOS
IBOS

搜索帮助