Форум АНТИЧАТ - Показать сообщение отдельно

CSRF -> RCE (bypass default samesite cookie value Lax)

Плагин File Browser v. 1.00

В целом обычная csrf в плагине и совершенно очевидный обход ограничений в PHP

приложениях дефолтных Samesite cookie Lax.

Из коробки POST запросы эксплуатировать тяжело, но большинство трудностей

улетучивается когда разрабы используют $_REQUEST или функции/конструкции наподобие

этих:

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$var[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_METHOD'[/COLOR][COLOR="#007700"]] ===[/COLOR][COLOR="#DD0000"]'POST'[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]# или например
# from LiveStreet CMS

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]getRequest[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$sType[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"])
{
    switch ([/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sType[/COLOR][COLOR="#007700"])) {
        default:
        case[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"];
            break;
        case[/COLOR][COLOR="#DD0000"]'get'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"];
            break;
        case[/COLOR][COLOR="#DD0000"]'post'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"];
            break;
    }

    if (isset([/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$sName[/COLOR][COLOR="#007700"]])) {
        if ([/COLOR][COLOR="#0000BB"]is_string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$sName[/COLOR][COLOR="#007700"]])) {
            return[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$sName[/COLOR][COLOR="#007700"]]);
        } else {
            return[/COLOR][COLOR="#0000BB"]$aStorage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$sName[/COLOR][COLOR="#007700"]];
        }
    }
    return[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"];
}
[/COLOR][/COLOR]

Что впринципе мы и видим ниже, один и тот же запрос в GET и POST.

Хэш в запросе:

Plugin/Browser/elfinder/php/elFinderConnector.class.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]public function[/COLOR][COLOR="#0000BB"]run[/COLOR][COLOR="#007700"]() {
[/COLOR][COLOR="#0000BB"]$isPost[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"REQUEST_METHOD"[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'POST'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"REQUEST_METHOD"[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'POST'[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"];
       if ([/COLOR][COLOR="#0000BB"]$isPost[/COLOR][COLOR="#007700"]&& ![/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$rawPostData[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]file_get_contents[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'php://input'[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#FF8000"]// for support IE XDomainRequest()
[/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'&'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$rawPostData[/COLOR][COLOR="#007700"]);
           foreach([/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$part[/COLOR][COLOR="#007700"]) {
               list([/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]array_pad[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'='[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$part[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]rawurldecode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]);
           }
[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_merge_recursive[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"]);
       }
[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cmd'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cmd'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]= array();
      
       if (![/COLOR][COLOR="#0000BB"]function_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'json_encode'[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_CONF[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_CONF_NO_JSON[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'{"error":["'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]implode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'","'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]'"]}'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'raw'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]));
       }
      
       if (![/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loaded[/COLOR][COLOR="#007700"]()) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_CONF[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_CONF_NO_VOL[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'debug'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mountErrors[/COLOR][COLOR="#007700"]));
       }
      
[/COLOR][COLOR="#FF8000"]// telepat_mode: on
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$isPost[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_UPLOAD[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_UPLOAD_TOTAL_SIZE[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'header'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Content-Type: text/html'[/COLOR][COLOR="#007700"]));
       }
[/COLOR][COLOR="#FF8000"]// telepat_mode: off
      
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]commandExists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_UNKNOWN_CMD[/COLOR][COLOR="#007700"])));
       }
      
[/COLOR][COLOR="#FF8000"]// collect required arguments to exec command
[/COLOR][COLOR="#007700"]foreach ([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]commandArgsList[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]) as[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$req[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'FILES'
[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]$_FILES
[/COLOR][COLOR="#007700"]: (isset([/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);
              
           if (![/COLOR][COLOR="#0000BB"]is_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]);
           }
           if ([/COLOR][COLOR="#0000BB"]$req[/COLOR][COLOR="#007700"]&& (!isset([/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]) ||[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]ERROR_INV_PARAMS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"])));
           }
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"];
       }
      
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'debug'[/COLOR][COLOR="#007700"]] = isset([/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'debug'[/COLOR][COLOR="#007700"]]) ? !![/COLOR][COLOR="#0000BB"]$src[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'debug'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
      
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]output[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]elFinder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]exec[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]input_filter[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"])));
   }
[/COLOR][/COLOR]