CRMEB icon indicating copy to clipboard operation
CRMEB copied to clipboard

Published 20 hours ago verified publisher icon crmeb

About a file upload vulnerability

Open key141 opened this issue 1 year ago • 3 comments

CRMEB vulnerability report.docx

The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed.

public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } }

Vulnerability Exploitation Steps:

  1. Log in to the background

image

  1. Select commodity, then select commodity Management, and click Add commodity.

image

3、 Select any commodity category, enter any commodity name, and enter any commodity unit image

4、Open the add video button image

  1. Use any packet capture tool to open the interception package. I am using BurpSuite here. (As shown below)

image

6、 Click the plus sign and select the test video you prepared (recommended video length is less than 10 seconds)

image

7、The package is successfully truncated (as shown in the figure below)

image

8.、Select the all uploaded video data and delete it. (As shown below)

image

9、After the deletion is complete, write the malicious code on it

image

10、Replace the content below the chunkNumber pass parameter with 1.php

image

11、Click forward Package

image

Malicious file has been successfully uploaded, how to access it?

An example is as follows: http://your domain name/uploads/attach/year when you uploaded/month when you uploaded/day when you uploaded/file name__ (note the double underscore here) 1.php

(This is because the program will create some file directories named after your upload time)

So My current time is April 13, 2023, so my access example is as follows: http://192.168.101.100/uploads/attach/2023/04/13/68CECACC23AB0161625A5BFFE46C3E7A.mp4__1.php

Access the malicious code file just uploaded and execute it successfully image

key141 avatar Apr 13 '23 23:04 key141

我遇到了相同的问题,可以提供更多信息帮助我修复吗?

en0th avatar Sep 12 '23 02:09 en0th

这是来自QQ邮箱的自动回复邮件。   您好,我不在电脑前,无法亲自回复您的邮件。我将尽快给您回复。

fengmangbl avatar Sep 12 '23 02:09 fengmangbl

这是来自QQ邮箱的假期自动回复邮件。你好,我最近正在休假中,无法亲自回复你的邮件。我将在假期结束后,尽快给你回复。

pk2993635720 avatar Sep 12 '23 02:09 pk2993635720