https://github.com/gnuboard/gnuboard5/commit/6dc462d7843bc09ccef08f1128cb4b445da1d6c9

 

(KVE-2021-0849) 확장자 .phar 파일 업로드 취약점 수정 · gnuboard/gnuboard5@6dc462d

Permalink This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Showing 3 changed files with 4 additions and 4 deletions. +1 −1 bbs/qawrite_update.php +1 −1 bbs/write_update.php +2 −2 instal

github.com

 

회사분이 위의 취약점 찾으면서 알게된 취약점

 

 

/etc/apache2/mods-enabled/php7.4.conf

php 7.2? apache 에서 돌아갈 경우 Sethandler 부분에 의해서 php로 실행된다.

shell

위의 내용의 파일을 test.phar로 생성했다.

쉘 화면

 

ㄷㄷ; blacklist 기반으로 파일 업로드 체크할거면 조심해야할듯..

I'm going to write about RCE on the MyBB 1.8.22 Admin panel, which I've analyzed a lot over the past year Because ninja patch 

 

 

1. MyBB error function code (/inc/class_error.php) 

If you look at the code above, check the value of the settings variable and run the log_error function.

 

 

2. MyBB log_error function code (/inc/class_error.php) 

 

If you look at the code above, checks the value of the settings variable and generates an error log file in that path.

 

 

 

3. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)

If you look at the code in the picture above, after checking the input,
After updating the data in the database, perform the rebuild_setting() function.

 

4. MyBB rebulid_settings function code (/inc/functions.php)

If you look at the code above, SELECT the value of the Settings Table, replace the dangerous string of data, and then run the file_put_content function

 

 

1. error log setting page in Admin Panel

If you look at the MyBB admin panel, there is a place for setting up error log

 

If you can include the php code in the error, RCE is possible!

 

4. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)

If you look at the code above, check the path using realpath function and pass if it is not false.

 

5. php.net/realpath function

The realpath function checks if the path actually exists and returns the actual path by replacing the string "./","../", etc. as shown in the picture below.

 

6. realpath function return value

However, the realpath function has the following tricks

 

7. relapath function trick

By using this trick, the code for image 4 could be bypassed.

 

 

Exploit is as follows 

 

8. error log setting page in Admin Panel

Set as above.

 

 

9. Attach a file to a MyBB board

 

10. Error display
11. Success Webshell write

Ninja Patch is a waste, but it was fun!

 

If you need any questions, please contact me on Twitter.

'WRITEUP' 카테고리의 다른 글

[pwnthybytes] Baby sql is not baby anymore  (0) 2019.10.01
[Codegate 2018] Simple CMS Write up  (0) 2018.02.08

+ Recent posts