Headline
CVE-2023-34738: Arbitrary file upload vulnerability in Chemex 3.7.1 · Issue #64 · celaraze/chemex
Chemex through 3.7.1 is vulnerable to arbitrary file upload.
1. Synopsis
Chemex is vulnerable to arbitrary file upload vulnerability, which can lead to code execution.
This vulnerability exists in Chemex’s latest verion 3.7.1 and all versions below. The upload/import function implements filter only in frontend, there is no filter in the backend code. Attackers can easily bypass it with tools like Burpsuite.
2. Analysis
The vulnerable endpoints is listed below:
/dcat-api/form/upload (/organization/users)
/device/records
/device/categories
/vendor/records
We are going to analysis endpoint /organization/users.
The corresponding code is in: chemex-main/app/Admin/Forms/UserImportForm.php function form
It applies filter to only accept xlsx and csv file, but only in the frontend
The backend code to upload function is in: chemex-main/vendor/dcat/laravel-admin/src/Form/Field/UploadField.php function upload
Read the code carefully, you will find there is no filter at all.
3. Exploit
You can use the following syntax to search vulnerable target in internet with Hunter (https://hunter.qianxin.com/) : web.body="让IT资产管理更加简单"&&web.body="dcat-admin/dcat/plugins/vendors.min.js"
You can login with default cred admin : admin, or some simple passwords.
The following targets has been tested by me:
https://gz.yunxiaoseo.com/ admin : 123456
http://42.192.138.41:8005/ admin : admin
https://jixiadmin.qiyekj.cn/ admin : admin
http://121.28.101.42:81/ admin : admin
http://81.70.56.151/ admin : admin
The target we are going to test is http://81.70.56.151/, it’s the latest version I found so far (the latest is 3.7.1).
Click “组织” button or go to this url directly: /organization/users, then click the green “导入人员信息模板” button.
It will pop up a window to let you select a file to upload. Drag or select a xlsx file to upload, then intercept it with burp.
In burp, send the request to repeater, then modify the filename parameter to a php file, fill in some simple code to execute cmd.
The uploaded path will be echoed in the response, access it in your web browser.
Finally, you gain code execution.
The video of demonstration of latest version can be found in: https://mega.nz/file/dUlAyY7J#5ceaOxDibsRaqSC8VEqB6IZCWdiFCU1-WhfbLB72la0