Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Concrete CMS is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page,similar to wiki software, another type of web site development software.

As a limited privileged user, a URL can be entered. Then, the CMS will use CURL to download this locally. There is a validation done on the file type to ensure that PHP files and other malicious types cannot be added to the filesystem. However, the CMS downloads it locally with CURL prior to doing this validation. Can we access this?

The file is created in a temporary directory. By reversing how this code works, they found that the generation of the directory name was predictable. It came down to the usage of milliseconds to generate the ID. By syncing the time with the responses from the server, this can be done fairly trivially with the syncing and some brute forcing.

There is one thing that is confusing though: they claim that they extended the race window by adding a sleep command to the PHP file. If the PHP code is being executed (the sleep call), then why do you need to call it externally? This was really strange to me and I'm not sure why they did not pop a reverse shell from the initial execution of the payload. The only explanation would be to add a permanent backdoor.

The article alludes to the CURL command having an SSRF bug as well, but they decide to save this for another day. Overall, the race condition PHP execution is a good find! Don't let the error message fool you; trust but verify.