PTMS
Author
Qerogram
Version
Vulnerability
RCE(Remote Code Execution) via File Upload
Chains the three vulnerabilities below and uses them.
- Insecure Permission Check
It does not check user permission when using the arbitrary file writing function. - Arbitrary File Write Function
Limited arbitrary file write function exists.(Possible extension, "html".)
- Local File Include
the error handling page with the extension "html" is loaded through the keyword "include".
Therefore, we can overwrite the "404.html" file, which is an error handler page, with a webshell payload, as if overwriting the SEH handler code, and then invoke the error page to trigger an RCE vulnerability.