0x01 Summay In last December last year, there were security problems caused by improper URLDecode. Reference https://github.com/thinksaas/ThinkSAAS/issues/24 To sum up, it is in ThinkSAAS-master\app\topic\action\admin\topic.php , improper filtering of keyword parameters leads to SQL injection. In last year's fix plan (click Here Direct), the first is $title Changed $kw Variable, And, after tsFilter Function filtering. However, there are still security risks now. # Responsible Vulnerability Disclosure info Title: ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php Desc: ThinkSAAS before 3.52 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter(need the privilege of admin), allowing logged attackers to execute arbitrary SQL commands. This is a bypass of CVE-2020-35337. CVSS v3.1 Vector: - 7.5 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:H/...
corresponding 0x00 intro - github repo:https://github.com/lykops/lykops - 121 stars and 65 forks til 2021/2/6 0x01 Post-Auth OS-command injection lykops/library/utils/file.py#248 -> upload_file() we got lykops/lykops/ansible/yaml.py#74 ,github link here vuln param file comes from our HTTP Request in array of FILES[] So we can completely control the unsantized param, and cause a OS-cmd injection the corresponding route is ^ansible/yaml/import$ , we can trigger this vuln by visiting it. Also, you can see that an exception will trigger twice invocations of import_file() ,which means a `sleep 5` command will casue a delay of 10 second POST /ansible/yaml/import/ Host: lykops ... ... ...;filename="test.txt$(sleep 5)" ...