Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-28948 PoC — Pear Archive_Tar 代码问题漏洞

Source
https://github.com/JinHao-L/PoC-for-CVE-2020-28948-CVE-2020-28949
Associated Vulnerability
Title:Pear Archive_Tar 代码问题漏洞 (CVE-2020-28948)
Description:Pear Archive_Tar是Pear(PEAR)团队的一个基于Php的可以对tar包进行创建、提取等操作的软件。 Archive_Tar 1.4.10版本及之前版本存在安全漏洞,该漏洞允许反序列化攻击,因为phar:被阻塞而phar:没有被阻塞。
Readme
## POC for CVE-2020-28948 & CVE-2020-28949

The files here contain PoC for CVE-2020-28948 & CVE-2020-28949 to achieve remote exploit

### The server

The server folder contains a simple upload server which uses the vulnerable Archive_Tar library, located in `server/Archive`. The server accepts a Tar archive from the user, extracts and store it in the `server/uploads/` folder.

To start the server with the vulnerable library:
```sh
cd server
make build
make start
```

To start the server with the patched library:
```sh
cd server
make build-patched
make start-patched
```

Access the remote server through http://localhost:8080

### CVE-2020-28948 (PHAR deserialisation attack)

1. Navigate to corresponding PoC folder.
2. Specify target for arbitrary file deletion, by modifiying the `$delete_target` in `create_phar.php`
    - To view confidential `secret.md` file, delete `.htaccess` file
    - To do DoS, delete `index.html`
3. Create `exploit.tar`
    ```
    make create_exploit
    ```
4. Upload `exploit.tar` to remote server
5. Observe the file deletion on the server.
    - Can access http://localhost:8080/uploads/secret.md if `.htaccess` is deleted.

### CVE-2020-28949 (PHAR inclusion attack)

1. Navigate to corresponding PoC folder.
2. Create `exploit.tar`
    ```
    make create_exploit
    ```
3. Upload `exploit.tar` to remote server
4. Observe that `shell.php` is uploaded.
    - Can access http://localhost:8080/shell.php
5. Achieve some RCE (eg. execute `whoami` on server)
    - http://localhost:8080/shell.php?cmd=whoami
File Snapshot

 [4.0K]  /data/pocs/f703faa3052f1a77060e4ca5718dcb9728d7afd4
├── [1.8K]  Archive_Tar.patch
├── [4.0K]  cve-2020-28948
│   ├── [ 709]  create_phar.php
│   ├── [ 273]  create_tar.py
│   ├── [  33]  input_file.txt
│   └── [ 170]  Makefile
├── [4.0K]  cve-2020-28949
│   ├── [ 140]  create_tar.py
│   ├── [  87]  Makefile
│   ├── [ 538]  README.md
│   └── [  31]  shell.php
├── [4.0K]  payloads
│   ├── [ 10K]  phar_file.tar
│   ├── [ 10K]  readme.tar
│   ├── [ 10K]  relative_path1.tar
│   └── [ 10K]  relative_path2.tar
├── [1.5K]  README.md
└── [4.0K]  server
    ├── [4.0K]  Archive
    │   ├── [ 84K]  Tar-patched.php
    │   └── [ 84K]  Tar.php
    ├── [ 185]  Dockerfile
    ├── [ 274]  Dockerfile-patched
    ├── [ 590]  index.php
    ├── [ 245]  Makefile
    └── [4.0K]  uploads
        ├── [1.3K]  index.php
        └── [  29]  secret.md

6 directories, 22 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.