Skip to main content

Analyzing Root Cause Of Remote Code Execution in Bludit CMS (3.9.2)

Description:

Bludit is a Flat-File CMS, which (in this case) means that Bludit uses files in the JSON format to store the content. We found CMS Version 3.9.2 in CTF  Challenge that  is vulnerable to Remote code execution by File upload. We completed the challenge but we are excited to find the root cause and analyze the  source code .

For Analyzing the root cause you have to familiar  with  basic  of php language  and .htaccess file

What is  .Htaccess  in PHP ?

.htaccess is a configuration file for use on web servers running on the web apache server software. when a .htaccess file is placed in a directory which in turn loaded via the Apache web server, then the .htaccess file is detected and executed by the Apache server software.

Whenever any request is sent to the server it always passes through .htaccess file

.Htaccess is Used For:      

1) AUTHORIZATION, AUTHENTICATION: .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords.

2) CUSTOMIZED ERROR RESPONSES: Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found. Example : ErrorDocument 404 /notfound.html

3) REWRITING URLS: Servers often use .htaccess to rewrite "ugly" URLs to shorter and prettier ones.

4) CACHE CONTROL: .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.

WHAT Is RewriteEngine In .Htaccess ?

A rewrite engine is a component of web server software that allows you to rewrite or redirect uniform resource locators (URLs). The most popular rewrite engine is the Apache HTTP server’s mod_rewrite


RewriteEngine on or off Mean?
Rewrite Engine on means all the  rules for redirection , directory access etc. are applied.
Rewrite Engine off means none of the rules are applied , all rules are ignored.
If you add a RewriteEngine Off htaccess file in a folder/directory then you are turning off security in ONLY that folder.  .htaccess files are hierarchical.  What this means is this – If you have an .htaccess file in a parent/root folder and you add a RewriteEngine Off .htaccess file in a child/subfolder folder then that child folder will NOT follow the security rules/directives of the parent/root folder .htaccess file and will instead follow the rules/directives in its own .htaccess file.

Debugging Code With Visual Studio:

We know that bludit 3.9.2 is vulnerable to Remote code execution by file upload. but not getting the actual root cause in source code .So we install Bludit 3.9.2 on localhost as well as visual studio(to debug the code.). Here are the Steps that we taken to find out the root cause : Start the xampp and run the apache server. Load the code(bludit 3.9.2) in Visual studio . and run the xdebug in visual studio for debugging . Set any proxy tool in your browser for capturing traffic of applications. Here we are testing on local, Generally proxy tools don't intercept traffic from localhost. So we have to configure it. For this: Go to firefox :-> In url bar type:- about:config :-> And then Her set network.proxy.allow_hijacking_localhost =true Here we know the issue is on file_upload functionality, So normally we're gonna upload a file and see what exactly happened in the backend.
  Then we move on to analysing part of source code as shown in the image below.

Also we have to start the xDebug server.  So simply Run the XDebug

                                    So here we simply  set  the BREAKPOINTS


So we have set all the requirements  or configurations that we have to need. And let's move forward in order to achieve success :)
Next is here we have to perform the same request of upload image so replay the request  that are in repeater tab of BurpSuite (shown in step 4).

 

 

Here we see php temp file moved to Bludit Temp Directory and stored the content.

 

After that we found the path of our file that we are trying to upload but in response we got “File type is not supported” but meanwhile its stored the file in Temp directory with the same name that we are trying to upload. BUT BUT BUT the question is why is it storing the file in TEMP directory?

 
 What exactly happened here is its Firstly its accept the file that we are upload and store it in TEMP folder and then check the  File extension check that developer implemented and if condition is satisfied then its moved in another location called Thumbnails else thrown an error  (shown in below given screenshot).
 

So we have location of our file lets try to access abc.php that is      http://127.0.0.1/testing/bludit-3.9.2/bl-content/tmp/abc.php 

  
We are not able to access the abc.php  directly Because file permission or directory  is defined in .htaccess file. we found this by checking the .htaccess  file  of bludit version (3.9.2) at this location  C:/xampp/htdocs/bludit-3.9.2/.htaccess

 
|||| here  /databases , /workspaces , /pages / tmp directory direct access not allowed |||

So we have to bypass this by uploading another .htaccess file with content RewriteEngine off.

Here we upload the .htaccess file contain RewriteEngine off


So let's finally try to access our file and we successful execute PHP code that contain in abc.php
Labels:

Comments

Post a Comment

Popular posts from this blog

Passcode Protection Bypass By Brute Forcing On zoho (Cliq Application)

First We discuss about what is passcode and Why it is Implemented in  Mobile Applications. PASSCODE Implemented in Mobile Application to protect Applications from an Unauthorized Access.like for example your cliq or any application account is logged in mobile phone .any your friend ask you to give phone , your friend try to open cliq application to see your message, but your friend cant open the application without entering passcode . he have to enter passcode for open, so it is an extra layer security in  applications. Passcode protection implemented in Android Application is an extra layer security to protect an unauthorized access. How Passcode Protection is bypassed by Bruteforcing? You know that passcode protection or pin protection in mobile applications have some attempt to enter passcode , if you enter  wrong passcode more than 5 times or 10 times based on application security , User logged out automatically and redirected to login page.but due to some ...
3 comments
Read more

Exploitation of Improper Export of Activities In Android Application

In android You know that every GUI interface is an  separate activity. An activity represents a single screen with a user interface just like window or frame of Java. In An application there are many activities depend on application functionalities. Let's take a example : An application that have   three modules login , register and   dashboard . For that there are there are three different activities for all these modules. What is export Means Here? In Android Application there is an attribute android: exported =true or false . This attribute is used in android   to provide an access to   other third party application to start their service , activities   and receive broadcast   messages. Like for an Example : If an application    have broadcast receiver to receive any events or message , if in that application exported attribute is set to true then this    broadcast message   can also receive by other thi...
Post a Comment
Read more

A New Way Of Brute force Passcode/Pin Protection By deep link

DESCRIPTION : AS you know already that what is passcode protection and why it is applied ? And how it is bypassed normally ? If you don’t know please read my previous blog:   https://negativewives.blogspot.com/2020/04/passcode-protection-bypass-by-brute.html                                                                                When any passcode protection is implemented first check any activity is exported or not ? Here we  only talking the scenario where no activity is exported in application   PROCEDURE : Open Application after implementing passcode protection. You see that passcode activity is launched first Go to AndroidMainfest.xml file and check launch mode of passcode activity . Question Arises in your mind   - ...
Post a Comment
Read more