Description:
Bludit is a Flat-File CMS, which (in this case) means that Bludit uses files in the JSON format to store the content. We found CMS Version 3.9.2 in CTF Challenge that is vulnerable to Remote code execution by File upload. We completed the challenge but we are excited to find the root cause and analyze the source code .
For Analyzing the root cause you have to familiar with basic of php language and .htaccess file
What is .Htaccess in PHP ?
.htaccess is a configuration file for use on web servers running on the web apache server software. when a .htaccess file is placed in a directory which in turn loaded via the Apache web server, then the .htaccess file is detected and executed by the Apache server software.
Whenever any request is sent to the server it always passes through .htaccess file
.Htaccess is Used For:
1) AUTHORIZATION, AUTHENTICATION: .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords.
2) CUSTOMIZED ERROR RESPONSES: Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found. Example : ErrorDocument 404 /notfound.html
3) REWRITING URLS: Servers often use .htaccess to rewrite "ugly" URLs to shorter and prettier ones.
4) CACHE CONTROL: .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.
WHAT Is RewriteEngine In .Htaccess ?
A rewrite engine is a component of web server software that allows you to rewrite or redirect uniform resource locators (URLs). The most popular rewrite engine is the Apache HTTP server’s mod_rewrite
RewriteEngine on or off Mean?
Rewrite Engine on means all the rules for redirection , directory access etc. are applied.
Rewrite Engine off means none of the rules are applied , all rules are ignored.
If you add a RewriteEngine Off htaccess file in a folder/directory then you are turning off security in ONLY that folder. .htaccess files are hierarchical. What this means is this – If you have an .htaccess file in a parent/root folder and you add a RewriteEngine Off .htaccess file in a child/subfolder folder then that child folder will NOT follow the security rules/directives of the parent/root folder .htaccess file and will instead follow the rules/directives in its own .htaccess file.
Debugging Code With Visual Studio:
We know that bludit 3.9.2 is vulnerable to Remote code execution by file upload. but not getting the actual root cause in source code .So we install Bludit 3.9.2 on localhost as well as visual studio(to debug the code.). Here are the Steps that we taken to find out the root cause : Start the xampp and run the apache server. Load the code(bludit 3.9.2) in Visual studio . and run the xdebug in visual studio for debugging . Set any proxy tool in your browser for capturing traffic of applications. Here we are testing on local, Generally proxy tools don't intercept traffic from localhost. So we have to configure it. For this: Go to firefox :-> In url bar type:- about:config :-> And then Her set network.proxy.allow_hijacking_localhost =true Here we know the issue is on file_upload functionality, So normally we're gonna upload a file and see what exactly happened in the backend.
Then we move on to analysing part of source code as shown in the image below.
 |
| Also we have to start the xDebug server. So simply Run the XDebug |
 |
So here we simply set the BREAKPOINTS So we have set all the requirements or configurations that we have to need. And let's move forward in order to achieve success :) Next is here we have to perform the same request of upload image so replay the request that are in repeater tab of BurpSuite (shown in step 4).   |
Here we see php temp file moved to Bludit Temp Directory and stored the content.
After that we found the path of our file that we are trying to upload but in response we got “File type is not supported” but meanwhile its stored the file in Temp directory with the same name that we are trying to upload. BUT BUT BUT the question is why is it storing the file in TEMP directory?
What exactly happened here is its Firstly its accept the file that we are upload and store it in TEMP folder and then check the File extension check that developer implemented and if condition is satisfied then its moved in another location called Thumbnails else thrown an error (shown in below given screenshot).
So we have location of our file lets try to access abc.php that is http://127.0.0.1/testing/bludit-3.9.2/bl-content/tmp/abc.php
We are not able to access the abc.php directly Because file permission or directory is defined in .htaccess file. we found this by checking the .htaccess file of bludit version (3.9.2) at this location C:/xampp/htdocs/bludit-3.9.2/.htaccess
|||| here /databases , /workspaces , /pages / tmp directory direct access not allowed |||
So we have to bypass this by uploading another .htaccess file with content RewriteEngine off.
Here we upload the .htaccess file contain RewriteEngine off
So let's finally try to access our file and we successful execute PHP code that contain in abc.php
Comments