CVE2023-50162

Vulnerability: SQL Statement Execution File Upload Remote Code Execution (RCE)

[NAME OF AFFECTED PRODUCT(S)]:EmpireCMS

[AFFECTED AND/OR FIXED VERSION(S)]: V7.5

[PROBLEM TYPE] SQL Statement Execution File Upload Remote Code Execution (RCE)

[DESCRIPTION]

Accessing the backend:

Execute the following SQL statement:

select '' into dumpfile '/Users/zhaozhouqiao/site/evil.php';

You can see that the file has been successfully written.

Subsequently, access evil.php to execute the code:

Note: The prerequisite is that the MySQL variable secure_file_priv must be set to null.

Code Analysis:

Firstly, in the following code snippet, the content of the POST request is directly passed to the DoExecSql function without any filtering.

The code below passes the content of the query variable to DoRunQuery for execution:

The execution process lacks any filtering, directly executing the SQL statements provided by the user:

Therefore, it is possible to achieve arbitrary file upload using statements like select into outfile.

Mitigation Measures:

Set secure_file_priv for the MySQL database to null to prevent file uploads.