Shulou(Shulou.com)05/31 Report--

Using competitive conditions to analyze the example of realizing RCE in target Web application, it is believed that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Through the combination of SQL injection and competitive condition (Race Condition), the RCE vulnerability of the target application is realized by making use of the time difference between uploading files to the server and transferring uploaded files to Amazon S3. As the discovery of this RCE vulnerability is relatively unique, the following focuses on the trigger mechanism of competitive conditions (Race Condition) to share with you.

Race Condition: in the process of computer operation, concurrent, disordered, a large number of processes are using limited, exclusive, non-preemptive resources, due to unlimited processes, limited resources, resulting in contradictions, this contradiction is called Race. Race Condition is designed to describe that the output of a system or process depends on the sequence or timing of uncontrolled events. Because two or more processes compete for resources that cannot be accessed at the same time, these processes may have problems due to the sequence of time.

Upload.php, the first upload function point for vulnerability details.

The premise here is that I have obtained the administrator account credentials of the target Web application through SQL injection, and after logging in to its internal administrative interface, I found that I can publish news or articles through the upload.php feature in the administrative panel:

Without much consideration, I tried to upload a .php file shell directly through upload.php, but the problem is that the upload feature limits the upload of files in .php format. After changing the bypass methods in the form of .php, .php3, phpphp, null characters, etc., it still doesn't work:

Then, I thought of storage XSS, can you upload files in .html, .xml or .svg format? The upload was finally successful, but since the target Web application will dump the user's uploaded files to the S3 bucket in the cloud, it doesn't make sense to trigger XSS in the S3 bucket. All right, let's put this question aside for the time being and look at something else.

Modify.php, the second upload function point

When I didn't have a clue, I went back to the "news" section of the admin panel to see if I could find available points in the add or edit operation. At this point, I noticed the "edit" function. At the upper right of the illegally uploaded file, I clicked the "edit" button:

Then the following window containing upload to replacing the file pops up:

What I can think of is that it may also contain restrictions on filtering, but the truth is, it doesn't have any suffix format restrictions! You can upload any file! Then upload it. If there are no restrictions, it should not call the previous upload.php. Indeed, it calls another upload function point "modify.php". The following is its call request format:

Content-Disposition: form-data; name= "fileid" 31337--09234599689937136550676151776Content-Disposition: form-data; name= "name" picture-1.png--09234599689937136550676151776Content-Disposition: form-data Name= "description"-09234599689937136550676151776Content-Disposition: form-data; name= "userfile"; filename= "reverse.php" Content-Type: text/php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.