This issue can be leveraged by an attacker to upload arbitrary files and execute code on the server. This issue was reported to ZFPS by Xiaoyue Chen of the Xuanwu Lab at the University of Toronto. ZFPS fixed the issue in version 4.1.1. PatUsers/admin and Admins/admin are granted full permissions to the /file/upload/1 route. Users/admin and Admins/admin are also granted access to /file/upload/2, /file/upload/3, /file/upload/4 and /file/upload/5. In the following example, we will demonstrate how to exploit this vulnerability to upload a malicious file and execute arbitrary code on the server. The upload_handler() function allows users to upload files with the following syntax:
The following route allows users to upload a file. Unauthenticated users are granted full permissions to this route. The upload_handler() function allows users to upload files with the following syntax:
The following route allows administrators to upload files. *admin is granted full permissions to this route. The upload_handler() function allows administrators to upload files with the following syntax:
The following route allows administrators to upload files. Admins/admin are granted full permissions to this route. The upload_handler() function allows administrators to upload files with the following syntax:
With the help of the file_upload_dir() function, we can specify which directory to
Now we have to upload a malicious file to the server to exploit this vulnerability
If we have an idea on what a malicious file looks like, we can use the following YAML configuration to upload that file.
The following YAML configuration will upload a malicious file from cwd/to our current directory and execute it on the server at /file/upload/1.
Step 1: List all directories in /file/upload
We can list the directories in /file/upload by typing the following:
The following route allows administrators to upload files. Admins/admin are granted full permissions to this route. The upload_handler() function allows administrators to upload files with the following syntax:
The following route allows administrators to upload files. Admins/admin are granted full permissions to this route. The upload_handler() function allows administrators to upload files with the following syntax:
Step 2: Upload a malicious file and execute it on the server
Step 1 - Create a directory to upload files
The following request will create a directory to upload files. *admin is granted full permissions to this route.
The following request will create a directory to upload files. Admins/admin are granted full permissions to this route.
Vulnerable code – upload_handler() function
Inside the upload_handler() function of the /file/upload route, we can see that in order to upload a file, an authenticated user must execute the following code:
The following code allows users to upload files. Unauthenticated users are granted full permissions to this route. The upload_handler() function allows users to upload files with the following syntax:
The following route allows administrators to upload files. *admin is granted full permissions to this route. The upload_handler() function allows administrators to upload files with the following syntax:
Timeline
Published on: 09/26/2022 20:15:00 UTC
Last modified on: 09/28/2022 19:38:00 UTC