[Warning] RCE in WebsiteGuide v0.2 #12
Description
Vulnerability Product:WebsiteGuide v0.2
Vulnerability version: 0.2
Vulnerability type: Remote Command Execute
Vulnerability Details:
Vulnerability location: Image Upload
the variable "save_path" in /websiteapp/views.py -> IconViewSet.post method, does not check the name of file user upload ,
causes "../../" such path is available
and does not check binary of the image
causes user could upload image, pycode, html and stuff
Insecure image upload could cover the original code , causes Remote Command Execute
payload : https://github.com/Leeyangee/leeya_bug/blob/main/..1..1views.py
the payload is original code at /websiteapp/views.py but add a simple function os.system() to verify rce
(this is just a simple payload , It downloading index.html from http://www.bing.com , in order to verifying the vulnerability)
Firstly , Add a website in "分组管理"
After built , visit http://localhost:8000/admin/website
click navigator "网址管理", and click "替换图标"
and click "上传图标" choose the payload (or the image you wanna upload in normal situation)
finally click "确定" to upload
in the whole period of uploading , listening network
After upload the payload , you are able to observe the HTTP request that you just uploaded in burpsuite
Send it to the repeater and replace filename ..1..1views.py to ../../views.py
and finally , click Send , send the payload you had just modified
then you can find that the original code /websiteapp/views.py has changed from
to
that means you just changed the pycode and could causes RCE vulnerability
just visit the website page to trigger the api /api/icon, you can find the index.html downloaded from http://www.bing.com at the path /websiteapp/
proved RCE
by above method, you can upload your file to every file in website or cover every file in website
discovered by leeya_bug