Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is an arbitrary file writing vulnerability in the HYBBS production plugin function #34

Open
shmilylty opened this issue Feb 7, 2022 · 0 comments

Comments

@shmilylty
Copy link

shmilylty commented Feb 7, 2022

There is an arbitrary file writing vulnerability in the HYBBS production plugin function

Vulnerability overview

There is an arbitrary file writing vulnerability in the HYBBS management background making plugin function, which leads to the server permission being obtained.

Vulnerability scope

All versions prior to HYBBS 2.3.3

Vulnerability environment construction

Clone the latest code factory library of HYBBS to the local, and then use phpstudy to build HYBBS.

Vulnerability reproduction steps

Fill in test', phpinfo(),' in the plugin description, and click the OK button.

2022-02-07-17-41-10

Then it will prompt that the plugin was created successfully

2022-02-07-17-43-32

From the folder monitoring software log, you can see that the program created the malicious file conf.php

2022-02-07-17-45-22

2022-02-07-17-45-59

Vulnerability code analysis

Locate the code that makes the plug-in function

2022-02-07-17-48-35

It can be seen that the program directly writes the plugin-related configuration information to conf.php without any security filtering, resulting in an arbitrary file writing vulnerability.

@shmilylty shmilylty changed the title There is an arbitrary file writing vulnerability in the HYBBS production plug-in function There is an arbitrary file writing vulnerability in the HYBBS production plugin function Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant