Vulnerable Path:

<https://github.com/nukeviet/nukeviet/blob/nukeviet4.5.05/admin/extensions/download.php>
<https://github.com/nukeviet/nukeviet/blob/nukeviet4.5.05/admin/extensions/upload.php>

Description:

This vulnerability occurs as follows:

The upload module function allows to upload files to the following directories: 'assets', 'themes', 'modules', 'uploads', 'includes/plugin', 'vendor'.

These directories all contain a .htaccess file to prevent direct execution of code, and the module already has functionality to detect if users override the .htaccess file. However, attackers can still exploit another feature to exploit the PHP deserialization vulnerability to trigger these files.

The vulnerability lies in line 21 (version 4.5.05) when @unserialize($array) directly accepts input from users.

Untitled

When sending serialized data, NukeViet will check if the data after being unserialized falls within certain predefined objects.

Untitled

Although I've checked those objects and haven't found any gadgets that could be used to impact the server, through the upload module function, I could register a new object file, leading me to execute code here via the unserialize function.

Untitled

In summary, I can exploit by uploading a module file linked to the directory containing one of the predefined objects. Then, I can utilize the unserialize function to call and execute this file.

Reproduce

Create a valid zip file containing the file that needs to be executed within one of the permitted object directories.

Untitled

After successfully uploading, create a serialized payload:

Untitled