$file = $_FILES["file"]["tmp_name"];
// Clean up existing area
$cache_root = SERVER_ROOT."cache/package/";
// Unzip the extension
include BigTree::path("inc/lib/pclzip.php");
$zip = new PclZip($file);
// See if this was downloaded off GitHub (will have a single root folder)
$zip_root = BigTreeUpdater::zipRoot($zip);
if ($zip_root) {
$files = $zip->extract(PCLZIP_OPT_PATH,$cache_root,PCLZIP_OPT_REMOVE_PATH,$zip_root);
} else {
$files = $zip->extract(PCLZIP_OPT_PATH,$cache_root);
}
we can upload a zip file which containing the PHP code, then Unpacked to SERVER_ROOT/cache/package/xxx/yyy.php
POC:
1、build extension
2、Add modules, templates, callouts, field types, feeds, and settings to your extension.
3、Add additional files to your extension.
4、create extension
5、download extension(a zip file)
6、modify webshell content to php file in extension(a zip file)
7、install extension(Only upload can, do not install,to prevent being deleted)
8、the shell in SERVER_ROOT/cache/package/xxx/yyy.php
The same vulnerability exists in the file \BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\unpack.php
Multiple Security Issue of php code execution exists in BigTree CMS Less than 4.2.18
FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\extensions\install\unpack.php
we can upload a zip file which containing the PHP code, then Unpacked to SERVER_ROOT/cache/package/xxx/yyy.php
POC:

1、build extension
2、Add modules, templates, callouts, field types, feeds, and settings to your extension.
3、Add additional files to your extension.
4、create extension
5、download extension(a zip file)
6、modify webshell content to php file in extension(a zip file)
7、install extension(Only upload can, do not install,to prevent being deleted)
8、the shell in SERVER_ROOT/cache/package/xxx/yyy.php
The same vulnerability exists in the file \BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\unpack.php
thank you~
email : xfkxfk@secbook.net
The text was updated successfully, but these errors were encountered: