flute-cms.com
Web-based CMS for server games written on PHP
v0.2.2.4-alpha Download Source Code: https://github.com/Flute-CMS/cms
In the creation of "Notifications," the website has predefined four templates for the notification content: {name}, {login}, {email}, and {balance}. However, upon analyzing the PHP code, it is revealed that inserting other template injection statements into the content can still be executed, for example, {system("whoami")}.
- Upon examining the app/Core/Support/ContentParser.php file, it can be found that the replaceContent() function takes the input Content string and passes it to replaceUserContent() for processing, resulting in the output corresponding to {name}, {login}, {email}, and {balance}.
![image](https://private-user-images.githubusercontent.com/57616357/349763756-bfc90b0d-1c2a-4bed-b9f5-aa3bcf4cad3d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjM3NTYtYmZjOTBiMGQtMWMyYS00YmVkLWI5ZjUtYWEzYmNmNGNhZDNkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTNlMDIwOTQ1OTUyYjVlNmU1ZjczZWEzZTEyMzEzZmRkYzYwOTRmODM0MDAzN2RiZGVkM2MzZjMwOTBlMjFhYWUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.4SSpo0BwOLHWh8S6NlirnlyUZx8XorpfuMfZuwQfhhU)
![image](https://private-user-images.githubusercontent.com/57616357/349763838-41e784a2-edce-4c8f-91ab-5dfc85942e14.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjM4MzgtNDFlNzg0YTItZWRjZS00YzhmLTkxYWItNWRmYzg1OTQyZTE0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPThhOGNiNDBjNjUzYjE1N2U5MmE2MzU4YTQzZGQzMmY0Nzk3ZjNhNmUzY2JkMDk1ZWMxYjZmNDA1ODYyODllYjAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.0cyyZco5pDJPficf7hqYnrkqN2TcTgK5w0sNN6eMG9U)
- However, after returning the string, it doesn't stop there. The replaceContent() function continues to check for the existence of {}, extracts the content within {}, and passes the matched content to the evaluateExpression() function for processing.
![image](https://private-user-images.githubusercontent.com/57616357/349764791-f2f81338-f040-42d4-8013-6741bf08c17d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjQ3OTEtZjJmODEzMzgtZjA0MC00MmQ0LTgwMTMtNjc0MWJmMDhjMTdkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTcxMjE5NGRjZTVmOGEwMGU2MWYwMTI5YjE3Y2U0MjNlZWQyZjI1Nzc1OTI3YjBkYWY0YzViZjVhODIxNTJkYTEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.FZd6FKSsHA0sXnCAUrii7EfFsPFkcX9YE58pV37SNqw)
- As a result, matches[1] will be used as the method name, and matches[2] will serve as the parameters passed in, resulting in the execution of a command.
![image](https://private-user-images.githubusercontent.com/57616357/349764849-62354a2c-6c5b-4e6f-85a6-15947e377f63.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjQ4NDktNjIzNTRhMmMtNmM1Yi00ZTZmLTg1YTYtMTU5NDdlMzc3ZjYzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWViM2Q1Mzg1YjQ1NWE3ZjI5NDYxYTcyNDg2MDcxNDM1NmMxOTI4ZjEyMjg2M2I1OWE3NTMwMTIyMGQ2MThlMzUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.FPPgs6TO9deaFoAM-e3tNZVAFxRw_D9kaopXBdv_b6U)
-
Log in with an admin user.
-
Click on the notification function to create a new notification. Set the notification message trigger event to "User Login" and write the POC "{system("ls")}" in the Content field.
![image](https://private-user-images.githubusercontent.com/57616357/349766048-e34e2b00-c41f-4943-9fab-f5f9450e41a8.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjYwNDgtZTM0ZTJiMDAtYzQxZi00OTQzLTlmYWItZjVmOTQ1MGU0MWE4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVlOWMwMjMwYTFmMjE5NzYxOGI1Y2Y2ZGZhYTc0NjQ1NzcxM2E2NWU1ZDg0MWFlMzgxNjdkYzU5ZjgyMzIwNTQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.xEeGPl__NkB8k_-PMzsvWExPxlcTmF9pNpQ4CfoCNsM)
- Log back in with the admin user or create a new user account to log in. The results of the command execution can be obtained on the notification page.
![image](https://private-user-images.githubusercontent.com/57616357/349767355-37367213-b911-40fa-8d2d-c71c892f55ec.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjI2OTQsIm5iZiI6MTcyMTY2MjM5NCwicGF0aCI6Ii81NzYxNjM1Ny8zNDk3NjczNTUtMzczNjcyMTMtYjkxMS00MGZhLThkMmQtYzcxYzg5MmY1NWVjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1MzMxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWZjMzk2ODZlMjViNGM2ZTdmZDM0ODUxYjllMWM2NDEyMzZkYmFiNmIyYWQxNjdmOGI1NzhjYmNmMGU4ODRkZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.-lmpyjaHizjClqCJeJmeT1ZPb9rjnCai4ZA6LdRi24c)