Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Remote Command Execution/远程命令执行 #9

Open
Mn-blue opened this issue Mar 3, 2022 · 5 comments
Open

[Bug]: Remote Command Execution/远程命令执行 #9

Mn-blue opened this issue Mar 3, 2022 · 5 comments

Comments

@Mn-blue
Copy link

Mn-blue commented Mar 3, 2022

baigoCMS Remote Command Execution

Description

When we are already logged in to the background, we can add MIME and then upload a webshell . By this way, we can remotely execute any system command on the web server.

Affected versions of baigoCMS

version: baigoCMS-3.0-alpha-2

PoC

1. Login to the background, add a MIME type

image

2. Upload webshell .

It is recommended to use one sentence webshell . E.g :
image
Splicing website path : http://[192.168.58.128/baigocms/public/attach/2022/03/7.php
image
image

3.Connect

image
image

@Mn-blue
Copy link
Author

Mn-blue commented Mar 3, 2022

Repair method:

1.Set the directory where the uploaded files are stored as non-executable permissions
2.Restrict the MIME types that attackers can customize to add

@fonering
Copy link
Contributor

您咋不说 ftp 也可以上传 php 文件?

@fonering
Copy link
Contributor

另外,上传目录的可执行权限是 cms 系统决定的吗?

@Mn-blue
Copy link
Author

Mn-blue commented Mar 29, 2022

FTP虽然可以上传PHP文件,但是不会解析执行;此处可以上传脚本文件并解析执行,存在一定危害。

@Mn-blue
Copy link
Author

Mn-blue commented Mar 29, 2022

而且设计附件上传的功能的初衷应该不包括上传危险的脚本文件吧

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants