An Non-authenticated attacker can upload arbitrary file via the /js/jquery_file_upload/server/php/index.php and executing it on the server reaching the RCE.
uploadfile name can be seen in response "url":"..\/..\/..\/..\/media\/..\/\/cmd_1645281565.php"
as we can know,/media/../cmd_1645281565.php is as same as /cmd_1645281565.php
so visit /cmd_1645281565.php you can getshell
The text was updated successfully, but these errors were encountered:
bkfish
changed the title
An Remote Code Execution vulnerability exists in Cuppa cms via file upload function
A Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Feb 19, 2022
bkfish
changed the title
A Remote Code Execution vulnerability exists in Cuppa cms via file upload function
A Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Feb 19, 2022
bkfish
changed the title
A Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Feb 19, 2022
bkfish
changed the title
Non-authenticated Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Unauthorized Remote Code Execution vulnerability exists in Cuppa cms via file upload function
Feb 19, 2022
An Non-authenticated attacker can upload arbitrary file via the /js/jquery_file_upload/server/php/index.php and executing it on the server reaching the RCE.
poc
this request will set $allowed_extensions in Configuration.php will add

.phpthen upload a php file ,set the path as "../"
uploadfile name can be seen in response
"url":"..\/..\/..\/..\/media\/..\/\/cmd_1645281565.php"as we can know,
/media/../cmd_1645281565.phpis as same as/cmd_1645281565.phpso visit
/cmd_1645281565.phpyou can getshellThe text was updated successfully, but these errors were encountered: