CVE-2023-37656: [Warning] RCE in WebsiteGuide v0.2 · Issue #12 · mizhexiaoxiao/WebsiteGuide

Vulnerability Product:WebsiteGuide v0.2
Vulnerability version: 0.2
Vulnerability type: Remote Command Execute
Vulnerability Details:
Vulnerability location: Image Upload

the variable “save_path” in /websiteapp/views.py -> IconViewSet.post method, does not check the name of file user upload ,
causes “…/…/” such path is available
and does not check binary of the image
causes user could upload image, pycode, html and stuff

Insecure image upload could cover the original code , causes Remote Command Execute

payload : https://github.com/Leeyangee/leeya_bug/blob/main/…1…1views.py
the payload is original code at /websiteapp/views.py but add a simple function os.system() to verify rce
(this is just a simple payload , It downloading index.html from http://www.bing.com , in order to verifying the vulnerability)

Firstly , Add a website in “分组管理”

After built , visit http://localhost:8000/admin/website
click navigator "网址管理", and click “替换图标”

and click “上传图标” choose the payload (or the image you wanna upload in normal situation)
finally click “确定” to upload

in the whole period of uploading , listening network

After upload the payload , you are able to observe the HTTP request that you just uploaded in burpsuite
Send it to the repeater and replace filename …1…1views.py to …/…/views.py

and finally , click Send , send the payload you had just modified
then you can find that the original code /websiteapp/views.py has changed from

to

that means you just changed the pycode and could causes RCE vulnerability

just visit the website page to trigger the api /api/icon, you can find the index.html downloaded from http://www.bing.com at the path /websiteapp/

proved RCE

by above method, you can upload your file to every file in website or cover every file in website

discovered by leeya_bug