flute-cms.com
Web-based CMS for server games written on PHP
v0.2.2.4-alpha Download Source Code: https://github.com/Flute-CMS/cms
In the creation of "Notifications," the website has predefined four templates for the notification content: {name}, {login}, {email}, and {balance}. However, upon analyzing the PHP code, it is revealed that inserting other template injection statements into the content can still be executed, for example, {system("whoami")}.
- Upon examining the app/Core/Support/ContentParser.php file, it can be found that the replaceContent() function takes the input Content string and passes it to replaceUserContent() for processing, resulting in the output corresponding to {name}, {login}, {email}, and {balance}.
- However, after returning the string, it doesn't stop there. The replaceContent() function continues to check for the existence of {}, extracts the content within {}, and passes the matched content to the evaluateExpression() function for processing.
- As a result, matches[1] will be used as the method name, and matches[2] will serve as the parameters passed in, resulting in the execution of a command.
-
Log in with an admin user.
-
Click on the notification function to create a new notification. Set the notification message trigger event to "User Login" and write the POC "{system("ls")}" in the Content field.
- Log back in with the admin user or create a new user account to log in. The results of the command execution can be obtained on the notification page.
