New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a "Unsafe Unzip" vulnerability that can get webshell #13

Closed
fupinglee opened this Issue Jun 27, 2018 · 3 comments

Comments

3 participants
@fupinglee

fupinglee commented Jun 27, 2018

ver: V4.0.20180210
using a specially crafted zip archive, that holds path traversal filenames.when you used unzip method you will get a shell

a zip looks like this:
02

the path you will get from there:
01
(so,your website true path is 'C:\tomcat\apache-tomcat-7.0.81\apache-tomcat-7.0.81\webapps\publiccms')

upload and unzip

03

04

'cmd.jsp' will write into your server

05

Execute the command
06

shell.zip

@unh3x

This comment has been minimized.

unh3x commented Jun 28, 2018

So it's a shell upload in background, requires administrator authorization?

@fupinglee

This comment has been minimized.

fupinglee commented Jun 28, 2018

@unh3x
need open upload and unzip

07

sanluan pushed a commit that referenced this issue Jun 28, 2018

sanluan
#13
bugfix

sanluan pushed a commit that referenced this issue Jun 28, 2018

sanluan
#13
Unsafe Unzip bug fix

sanluan pushed a commit that referenced this issue Jun 28, 2018

@sanluan

This comment has been minimized.

Owner

sanluan commented Jun 28, 2018

After fixing the bug,a zip file like this:
1
Upload and decompress or decompress here
2
The files will be put here when they are decompress
3
The files will be put here when they are decompress here
4

@sanluan sanluan closed this Jun 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment