crmeb/CRMEB

About a file upload vulnerability

key141 opened this issue · 3 comments

key141 commented

CRMEB vulnerability report.docx

The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed.

public function videoUpload($data, $file)
{
$public_dir = app()->getRootPath() . 'public';
$dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d');
$all_dir = $public_dir . $dir;
if (!is_dir($all_dir)) mkdir($all_dir, 0777, true);
$filename = $all_dir . '/' . $data['filename'] . '' . $data['chunkNumber'];
move_uploaded_file($file['tmp_name'], $filename);
$res['code'] = 0;
$res['msg'] = 'error';
$res['file_path'] = '';
if ($data['chunkNumber'] == $data['totalChunks']) {
$blob = '';
for ($i = 1; $i <= $data['totalChunks']; $i++) {
$blob .= file_get_contents($all_dir . '/' . $data['filename'] . '
' . $i);
}
file_put_contents($all_dir . '/' . $data['filename'], $blob);
for ($i = 1; $i <= $data['totalChunks']; $i++) {
@Unlink($all_dir . '/' . $data['filename'] . '' . $i);
}
if (file_exists($all_dir . '/' . $data['filename'])) {
$res['code'] = 2;
$res['msg'] = 'success';
$res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename'];
}
} else {
if (file_exists($all_dir . '/' . $data['filename'] . '
' . $data['chunkNumber'])) {
$res['code'] = 1;
$res['msg'] = 'waiting';
$res['file_path'] = '';
}
}
return $res;
}
}

Vulnerability Exploitation Steps:

  1. Log in to the background

image

  1. Select commodity, then select commodity Management, and click Add commodity.

image

3、 Select any commodity category, enter any commodity name, and enter any commodity unit
image

4、Open the add video button
image

  1. Use any packet capture tool to open the interception package. I am using BurpSuite here. (As shown below)

image

6、 Click the plus sign and select the test video you prepared (recommended video length is less than 10 seconds)

image

7、The package is successfully truncated (as shown in the figure below)

image

8.、Select the all uploaded video data and delete it. (As shown below)

image

9、After the deletion is complete, write the malicious code on it

image

10、Replace the content below the chunkNumber pass parameter with 1.php

image

11、Click forward Package

image

Malicious file has been successfully uploaded, how to access it?

An example is as follows:
http://your domain name/uploads/attach/year when you uploaded/month when you uploaded/day when you uploaded/file name__ (note the double underscore here) 1.php

(This is because the program will create some file directories named after your upload time)

So My current time is April 13, 2023, so my access example is as follows:
http://192.168.101.100/uploads/attach/2023/04/13/68CECACC23AB0161625A5BFFE46C3E7A.mp4__1.php

Access the malicious code file just uploaded and execute it successfully
image

en0th commented

我遇到了相同的问题,可以提供更多信息帮助我修复吗?