For MAMP integration environment Suite of SQLiteManager vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201787472
Type myhack58
Reporter 佚名
Modified 2017-06-29T00:00:00


One, Foreword MAMP is a set of integrated environment kit, four letters on behalf of is running on Mac OS X Apache, MySQL and PHP. MAMP kit contains SQLiteManager, this SQLiteManager presence of a plurality of vulnerabilities. When MAMP user to visit a malicious website, an attacker can use several vulnerabilities to execute code, The article of this case were analyzed. Second, the background knowledge 2.1 MAMP MAMP is a Web-integrated environment kit that can be installed on Mac OS X on. Web developers will usually use MAMP to test they are developing a Web application. MAMP will be installed on the system Apache service, run by default on port 8888, will also include certain database management program, such as phpMyAdmin and SQLiteManager on. 2.2 SQLiteManager SQLiteManager is a SQLite database management tool, the role with the phpMyAdmin similar. SQLiteManager you can create a new database, added to the database table and initiate a SQL query. Since 2013, SQLiteManager is no longer updated, and already contains some known vulnerabilities. Third, vulnerability analysis 3.1 directory traversal vulnerability SQLiteManager can be used to create a new database. A SQLite database contained in a single file, we when you create a database you can specify a new database corresponding to the file name. The new database file will be in/Applications/MAMP/db/sqlite directory. However, we can be in the file name after add the“../”string, jump to the parent directory, the database stored in the parent directory. We can also use this technique, will contain the PHP code of the file stored in the Web root directory. We can use such as“../../htdocs/script.php”like the file name, the script. php this file is stored in the Web root directory. Then, we can use SQLiteManager, create a data table, add contains our PHP code line data. sciprt. php is the one that contains the PHP code of a valid SQLite database file, when this file is accessed it will run the PHP code. ! ! ! 3.2 CSRF vulnerability The attacker cannot directly access running on the local host localhost on SQLiteManager the. However, if the attacker can run in the browser the Javascript, then he can“fake”a request to implement the attack. If the user through the installation of MAMP that hosts access to the attacker to build a Web site, then the attacker can be in this host to use the browser to initiate a request. These requests can access running on the local host SQLiteManager the. This through the victims browser to bounce a request to a method called cross-site request forgery method is cross site request forgery, CSRF is. SQLiteManager does not use any CSRF protection mechanism, and therefore 3. 1 in the mentioned directory traversal vulnerability you can also use the CSRF method to trigger. The attacker can use the Javascript initiates a POST request, create the database, to the database filled with data, and then initiate a request to access the results file. As a result, when the victim visits a malicious website, the attacker can use this method to install the MAMP of the victims on the host running the code. For example, we can use the following Javascript code that initiates the request, create a database: let formData = new FormData(); formData. append(“dbname”, “somename”); formData. append(“dbVersion”, 3); formData. append(“dbpath”, “../../htdocs/script.php”); formData. append(“action”, “saveDb”);

fetch(“http://localhost:8888/sqlitemanager/main.php”, { method: “POST”, body: formData }); Create a data table, we can insert a load: let payload = “”; let formData = new FormData(); formData. append(“funcs[test]”, “”); formData. append(“valField[test]”, payload); formData. append(“action”, “saveElement”); formData. append(“currentPage”, “”); formData. append(“after_save”, “properties”);

return fetch(“http://localhost:8888/sqlitemanager/main.php?dbsel=1&table=test”, { method: “POST”, body: formData }). catch(e => e); dbsel the value is we just created the database number. Although we cannot know the specific value, but we can try to 0 to 50 between all values, want to be able to hit the correct value. When we initiate a request to access the file, the osascript command is executed, the following pop-up dialog box: ! Fourth, the summary If we combine CSRF and directory traversal the two vulnerabilities used together, when the victim visits malicious Javascript website, we will be able to gain remote code execution privileges. An immediate solution to this problem is to disable SQLiteManager the. MAMP users can edit the“/Applications/MAMP/conf/apache/httpd. conf”the configuration file, disable the SQLiteManager the. Unless there is someone to take over the SQLiteManager maintenance work, otherwise these loopholes will most likely not be repaired. Now we can already use phpLiteAdmin to MAMP in the SQLite management. A more General solution is to prohibit public Internet access to the private RFC1918 IP address. Now there have been relevant proposals, recommendations is disabled by default such requests, then the introduction of new CORS header to explicitly allow this request to pass through. If you have more suggestions, feel positive with us.